I had this message in my log
```
Dez 30 08:14:46 kernel: audit: type=1400 audit(1735542886.787:307): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd" name="/etc/paperspecs" pid=317509 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
If the second commit is bad, I can drop it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1472
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e5a960a685)
While cups itself writes to /etc the others require only read-only access
and might therefore live in /usr/etc.
(cherry picked from commit c3af6228fd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Gtk applications like Firefox request write access to the file
`/run/user/1000/dconf/user`. The code in `dconf_shm_open` opens the file
with `O_RDWR | O_CREAT`.
4057f8c84f/shm/dconf-shm.c (L68)
(cherry picked from commit 318fb30446)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fix priority for file rules, and the ability to dump the dfa at different stages, and update and fix the equality tests.
This in particular adds the ability to better debug the equality tests. Instead of just piping the parser output into the hash it creates a tmp dir and drops the binary files there so they can be manually examined. It adds new options particularly the -r option making so the tests will exit on first failure to make it easier to isolate and examine a failure.
Eg.
```
./equality.sh -r -d -v
Equality Tests:
................................................................................................................................................................................................................................
Binary inequality 'priority=-1'x'priority=-1' change_hat rules automatically inserted
FAIL: Hash values match
parser: ./../apparmor_parser -QKSq --features-file=./features_files/features.all
known-good (ee4f926922ecd341f1389a79dd155879) == profile-under-test (ee4f926922ecd341f1389a79dd155879) for the following profiles:
known-good /t { priority=-1 owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { priority=-1 owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}
profile-under-test /t { priority=-1 owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { priority=-1 owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}
files retained in "/tmp/eq.3240859-deHu10/"
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1455
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 40e9b2a961)
There is a general industry wide effort to move off of md5 and even
sha1 (see recent kernel changes). While in this particular use case it
doesn't make a difference (besides slightly lowering the chance of a
collision) switch to sha256sum to make sure our code doesn't depend on
tools that are deprecated and there is an effort to remove.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 027b508da8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to the deny x permission tests, the tests that test carving
out r permissions need to be updated to be conditional on what
priority is being used on the rule.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bf7b80c478)
Signed-off-by: John Johansen <john.johansen@canonical.com>
With priority rules, deny does not carve out permissions from the
higher priority rule. Technically it doesn't from lower priority either
as it completely overrides them, but that case already results in
an inequality so does not cause the tests to fail.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 25f16b239d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
cx rules using a specified profile transition, may be emulated by
using px and a hierarchical profile name. That is
cx -> b
may be transformed into
px -> profile//b
which will generate an xtable entry of
profile//b
which means the previous patch using
pivot_root -> b,
to reliably add b to the xtable will not cover this case.
transition to using two pivot_root rules to provide the xtable entries
pivot_root /a -> b,
pivot_root /c -> /t//b,
the paths /a and /c are irrelavent as long as they don't have an
overlap with the generic globbing expression in the test, Two table
entries will be generated. We guarantee no overlap by converting the
/** to /f**
Also the xtable reserving rules are moved to the end of the profile so
the table order can be reliably created. A follow on MR around xtable
improvements should add reliability to xtable order.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 369029dc07)
Signed-off-by: John Johansen <john.johansen@canonical.com>
exec rules that specify an specific target profile generate an entry
in the xtable. The test entries containing " -> b" are an example of
this.
Currently the parser allocates the xtable entry before priorities are
applied in the backend, or minimization is done. Further more the
parser does not ref count the xtable entry to know what it is no
longer referenced.
The equality tests generate rules that are designed to completely
override and remove a lower priority rule, and remove it. Eg.
/t { priority=1 /* ux, /f px -> b, }
and then compares the generated profile to the functionaly equivalent
profile eg.
/t { priority=1 /* ux, }
To verify the overridden rule has been completely removed.
Unfortunately the compilation is not removing the unused xtable entry
for the specified transition, causing the equality comparison to fail.
Ideally the parser should be fixed so unused xtable entries are removed,
but that should be done in a different MR, and have its own test.
To fix the current tests, and another rule that adds an xtable entry
to the same target that can not be overriden by the x rule using
pivot_root. The parser will dedup the xtable entry resulting in the
known and test profile both having the same xtable. So the test will
pass and meet the original goal of verifying the x rule being overriden
and eliminated.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 84650beb2f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Failed equality tests can be hard to debug. The profiles aren't always
enough to figure out what is going on. Add several options that will
help in debugging, and developing new tests.
Add switches and arg parsing.
Add the ability to run tests individually
Add a -r flag to allow retaining the test and output
similar to the regression tests, so the exact output from the
tests can be examined.
Add a -d flag to dump dfa build information.
Allow overriding the parser, features, and description for a given
test run.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit cca842b897)
Signed-off-by: John Johansen <john.johansen@canonical.com>
printf of failure/error info should be going to stderr. Unfortunately
the test has a mix of 2>&1 and 1>&2. Having a mix is just wrong, we
could standardize on either but since the info is error info 1>&2
seems to be the better choice.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 31e60baab2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The test was passing because the file priority was always zero bug
resulting in the priority rule always being correctly combined
with the specific match x rule, instead of overriding it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 57c57f198c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The test was passing because the file priority always being zero bug,
the supplied rule always had the same priority as the implied
rule. Resulting in binary_equality always passing even though the
specified priority should have resulted in a failure.
Fix this by checking if the priorities are equal to the implied
rule other wise it should result in an inequality.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 4b410b67f1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When there is a failure output the exact call info used to invoke the
parser. To facilitate manually recreating the test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d275dfdd42)
Signed-off-by: John Johansen <john.johansen@canonical.com>
With the file priority fix the xequality (expected equal but known
failure) tests are now passing. So convert them to regular equality
tests.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fcee32a37e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The dfa goes through several stages during the build. Allow dumping it
at the various stages instead of only at the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 5d2a38e816)
Signed-off-by: John Johansen <john.johansen@canonical.com>
File rules could drop priority info when rule matched a rule
that was the same except for having different priority. For now
fix this by treating them as a different rule.
The priority was also be dropped when add_prefix was used to
add the priority during the parse resulting in file rules always
getting a default priority of 0.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9d5b86bc9d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Starting with Python 3.8, you can use the PYTHONPYCACHEPREFIX environment
variable to define a cache directory for Python [1]. I think most people would set
this dir to @{HOME}/.cache/python/ , so the python abstraction should allow
writing to this location.
[1]: https://docs.python.org/3/using/cmdline.html#envvar-PYTHONPYCACHEPREFIX
(cherry picked from commit 03b5a29b05)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Depending on the system, copying echo to the loop device fails because the echo binary is too large.
Especially on systems that have echo be just a symlink to coreutils (e.g. busybox) (as opposed to echo being its own binary) 16k is just not enough.
2M seems fine on my system, but this might need yet a higher value depending on what coreutils other people actually run.
The crash in question:
```
cp: error writing '/tmp/sdtest.3937422-31490-Bxvi6g/mount_target/echo': No space left on device
Fatal Error (file_unbindable_mount): Unexpected shell error. Run with -x to debug
rm: cannot remove '/tmp/sdtest.3937422-31490-Bxvi6g/mount_target': Device or resource busy
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1469
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 8e431ebcd9)
Depending on the system, copying echo to the loop device fails because the echo binary is too large.
Especially on systems that have echo be just a symlink to coreutils (e.g. busybox) 16k is just not enough.
2M seems fine on my system, but this might need yet a higher value depending on what coreutils other people actually run.
The actual loop device needs to be larger to properly fit the allocated file size. Testing shows 4M is sufficient, but this is basically arbitrary.
(cherry picked from commit 1cc2a3bd86)
Signed-off-by: John Johansen <john.johansen@canonical.com>
- previously, aa-status --json --show profiles would return non-standard json
- adding the --pretty flag would crash completely
- closes#470
Things done:
- removed trailing ", " in json generation
- generate json seperator (", ") for each new json field
(profiles/processes) after the header if json is enabled
Tested on NixOS and apparmor 4.0.3 base, but should work on any version the patch applies on.
Closes#470
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1451
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit c489631770)
- previously, aa-status --json --show profiles would return non-standard json
- adding the --pretty flag would crash completely
- closes#470
Things done:
- removed trailing ", " in json generation
- generate json seperator (", ") for each new json field
(profiles/processes) after the header if json is enabled
Tested on NixOS and apparmor 4.0.3 base, but should work on any version the patch applies on.
(cherry picked from commit 4f006a660c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This MR is meant to resolve warnings such as "Warning: execname '/home/username/Documents/apparmor/tests/regression/apparmor/file_unbindable_mount': no such file or directory" when running tests like the one in the current version of !1448.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1450
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 59957aa1d8)
When settest was called with two parameters, one for the test name and
the other for the test wrapper/binary, the profile created with
genprofile would show the test name, causing an error if the file
didn't exist.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit b4adff2ce0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some of the tests using the --stdin option of mkprofile.pl are adding
more than one profile at a time. Whenever a profile is created in the
test, its name is added to the file profile.names so the test
infrastructure can tell if the profile is loaded or removed when
appropriately. The issue is that the name of the second profile
created by --stdin is not added, so these checks are not applied.
This patch adds the option of appending a second profile (not rules).
The option --append was used instead of a short -A because the short
options are arguments of mkprofile.pl, which --append is not.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 0307619ed9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Due to how the tests were implemented in the past, permissions could
be passed along with the image name, and the permission part would be
discarded. The issue is that permissions are usually separated by ':',
but namespaces also contain ':', which would cause a conflict.
Since permissions are no longer passed as part of the image name,
remove that description so profile names in namespaces can be
supported.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 9cc40e2dca)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While the mount syscall documentation disallows this, the kernel silently
ignores make-* flags when doing a remount, and real applications were
passing this conflicting set of flags. Because changing the kernel to
reject this combination would break userspace, we should allow them
instead.
For an example: see https://bugs.launchpad.net/apparmor/+bug/2091424.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 52babe8054)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The previous code would concatenate all of them together without spacing.
While dump_flags and the corresponding operator<< function aren't currently used,
this will help for when dump_flags is used to debug parser problems.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 96718ea4d1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Swap on ZFS is *weird*. Getting it working needs some special casing, see e.g. https://askubuntu.com/questions/1198903/can-not-use-swap-file-on-zfs-files-with-holes
Currently, the swap regression test fails on my system (with /tmp in zfs):
```bash
tests/regression/apparmor ❯ ./swap.sh
Error: swap failed. Test 'SWAPON (unconfined)' was expected to 'pass'. Reason for failure 'FAIL: swapon /tmp/sdtest.872368-19048-kN4FN2/swapfile failed - Invalid argument'
Error: swap failed. Test 'SWAPOFF (unconfined)' was expected to 'pass'. Reason for failure 'FAIL: swapoff /tmp/sdtest.872368-19048-kN4FN2/swapfile failed - Invalid argument'
swapon: /tmp/sdtest.872368-19048-kN4FN2/swapfile: skipping - it appears to have holes.
Fatal Error (swap): Unexpected shell error. Run with -x to debug
```
However, just doing a file mount does make the test work on zfs, similar to how it is done with tmpfs. This means we don't need any special-casing for zfs beyond what is already there for working around (similar) tmpfs limitations.
Also, while researching this, it is possible a similar patch is needed for btrfs, but i currently don't have an easy way to test that.
This is non-breaking for anyone *not* using zfs, and it is currently broken with zfs anyways.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1462
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit e8f1ac4791)
previously, this check would fail if the setuptools version would contain non-integers.
On my system, that is the case: `setuptools.__version__` is `'75.1.0.post0'`
I believe it is entirely fair to just check the relevant bits and refuse to continue if those can not be checked properly.
Having some extra slug on the version should not immediately cause issues (e.g. the `post0` here, or slugs like `beta`, `alpha` and the likes).
Probably only very few systems are running setuptools with weird version info, but supporting this is a simple one-line change i figured i might as well MR.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1460
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit b3de4ef022)
previously, this check would fail if the setuptools version would contain non-integers.
On my system, that is the case: `setuptools.__version__` is `'75.1.0.post0'`
I believe it is entirely fair to just check the relevant bits and refuse to continue if those can not be checked properly.
But haviong something extra on the version should not immediately cause issues (e.g. the `post0` here, or slugs like `beta`, `alpha` and the likes).
Probably only very few systems are running setuptools with weird version info, but supporting this doesn't cost much, i believe.
(cherry picked from commit 3302ae98e4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
MS_SYNC is a flag for msync(2) while MS_SYNCHRONOUS is a flag for mount(2).
The header used to define MS_SYNC but IMO this is confusing since that's an
unrelated flag.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit d164e877f5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
By placing a bzImage into the top level of the AppArmor git repository one can
instruct spread and image-garden to use that image instead of booting
traditionally with an EFI / full disk image pair.
In addition, make error handling in qemu more robust, so failures are both
surfaced and do not cause endless attempts to allocate.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1452
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 239ae21b69)
By placing a bzImage into the top level of the AppArmor git repository one can
instruct spread and image-garden to use that image instead of booting
traditionally with an EFI / full disk image pair.
In addition, make error handling in qemu more robust, so failures are both
surfaced and do not cause endless attempts to allocate.
Please update image-garden to at least 5a00ead9964df6463e19432ae50e7760fc6da755
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 7031b5aeee)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The test adds a very small and simple smoke test that shows that a mount rule
with both fstype and options allows mounts to be performed on a real running
kernel.
The test is structured in a way that should make it easy to extend with new
variants (flags, fstype) in the future.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 1f60021979)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Spread is a full-system, or integration test suite runner initially developed
to test snapd. Over time it has spread to other projects where it provides a
structured way to organize, run and debug complex full-system interactions.
Spread is documented on https://github.com/canonical/spread and is used in
production since late 2016.
Spread has a notion of backends which are responsible for allocating and
discarding test machines. For the purpose of running AppArmor regression tests,
I've combined spread with my own tool, image garden. The tool provides
off-the-shelf images, constructed on-the-fly from freely available images, and
makes them easily available to spread.
The reason for doing it this way is so that using non-free cloud systems is not
required and anyone can repeat the test process locally, on their own computer.
Vanilla spread is somewhat limited to x86-64 systems but the way I've used it
here makes it equally possible to test x86_64 *and* aarch64 systems. I've done
most of the development on an ARM single-board-computer running on my desk.
Spread requires a top-level spread.yaml file and a collection of task.yaml
files that describe individual tasks (for us, those are just tests). Tasks have
no implied dependency except that to reach a given task, spread will run all
the _prepare_ statements leading to that task, starting from the project, test
suite and then task. With proper care one can then run a specific individual
test with a one-line command, for example:
```
spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
```
This will prepare a fresh ubuntu-cloud-24.04 system (matching the CPU
architecture of the host), copy the project tree into the test machine, install
all the build dependencies, build all the parts of apparmor and then run one
specific variant of the regression test, namely the at_secure program.
Importantly the same test can also run on, say debian-cloud-13 (Debian Trixie),
but also, if you have a Google cloud account, on Google Compute Engine or in
one of the other backends either built into spread or available as a fork of
spread or as a helper for ad-hoc backend. Spread can also create more than one
worker per system and distribute the tests to all of the available instances.
In no way are we locking ourselves out of the ability to run our test suite on
our target of choice.
Spread has other useful switches, such as:
- `-reuse` for keeping machines around until discarded with -discard
- `-resend` for re-sending updated copy of the project (useful for -reuse)
- `-debug` for starting an interactive shell on any failure
- `-shell` for starting an interactive shell instead of the `execute` phase
This first patch contains just the spread elements, assuming that both spread
and image-garden are externally installed. A GitLab continuous integration
installing everything required and running a subset of tests will follow
shortly.
I've expanded the initial selection of systems to allow running all the tests
on several versions of Ubuntu, Debian and openSUSE, mainly as a sanity check
but also to showcase how practical spread is at covering real-world systems.
A number of tests are currently failing:
- garden:debian-cloud-12:tests/regression/apparmor:attach_disconnected
- garden:debian-cloud-12:tests/regression/apparmor:deleted
- garden:debian-cloud-12:tests/regression/apparmor:unix_fd_server
- garden:debian-cloud-12:tests/regression/apparmor:unix_socket_pathname
- garden:debian-cloud-13:tests/regression/apparmor:attach_disconnected
- garden:debian-cloud-13:tests/regression/apparmor:deleted
- garden:debian-cloud-13:tests/regression/apparmor:unix_fd_server
- garden:debian-cloud-13:tests/regression/apparmor:unix_socket_pathname
- garden:opensuse-cloud-15.6:tests/regression/apparmor:attach_disconnected
- garden:opensuse-cloud-15.6:tests/regression/apparmor:deleted
- garden:opensuse-cloud-15.6:tests/regression/apparmor:e2e
- garden:opensuse-cloud-15.6:tests/regression/apparmor:unix_fd_server
- garden:opensuse-cloud-15.6:tests/regression/apparmor:unix_socket_pathname
- garden:opensuse-cloud-15.6:tests/regression/apparmor:xattrs_profile
In addition, only on openSUSE, I've skipped the entire test suite of the utils
directory, as it requires python3 ttk themes, which I cannot find in packaged
form.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1432
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit d9304c7653)
- Tests defined in utils/test are now described by a task.yaml in the same
directory and can run concurrently across many machines.
- Tests for utils/ are now executed on openSUSE Tumbleweed since ttk themes is
no longer a hard dependency in master.
- Tests no longer run on openSUSE Leap 15.6 due to the age of default
Python (3.6) and gcc/g++. The tight integration with SWIG which does
not seem to support other Python versions very well. Perl hard-codes
old GCC for extension modules. The upcoming openSUSE Leap 16 should be
a viable target. In the meantime we can still test everything through
rolling-release Tumbleweed.
- Formatting of YAML files is now more uniform, at four spaces per tab.
- The run-spread.sh script is now in the root of the tree. The script allows
running all spread tests sequentially on one system, while collecting logs
and artifacts for convenient analysis after the fact.
- All systems are adjusted to run _four_ workers in parallel with _two_ virtual
cores each and equipped with 1.5GB of virtual memory. This aims to best
utilize the capacity of a typical CI worker with two to four cores and about
8GB of available memory.
- Failing tests are marked as such, so that as a whole the entire spread suite
can pass and be useful at catching regressions.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 1df91e2c8c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Compared to v1 the following improvements have been made:
- The cost of installing packages have been shifted from each startup to image
preparation phase, thanks to the integration of custom cloud-init profiles
into image-garden. This has dramatic impact on iteration time while also
entirely removing requirement to be online to run once a prepared image is
available.
- Support for running on Google Compute Engine has been removed since it would
not be able to use cloud-init the same way would currently only complicate
setup.
- The number of workers have been tuned for local iteration, aiming for
comfortable work with 16GB of memory on the host. Once CI/CD pipeline
support is introduced I will add a dedicated entry so that resources are
utilized well both locally and when running in CI.
- The set of regression tests listed in tests/regression/apparmor/task.yaml is
now cross-checked so introduction of a new test to the makefile there is
automatically flagged and causes spread to fail with a clear message.
- The task tests/unit/utils has been improved to generate profiles. Thanks to
Christian Boltz for explaining this relationship between tests.
- A number of comments have been improved and cleaned up for readability,
accuracy and sometimes better grammar.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit c95ac4d350)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Spread is a full-system, or integration test suite runner initially developed
to test snapd. Over time it has spread to other projects where it provides a
structured way to organize, run and debug complex full-system interactions.
Spread is documented on https://github.com/canonical/spread and is used in
production since late 2016.
Spread has a notion of backends which are responsible for allocating and
discarding test machines. For the purpose of running AppArmor regression tests,
I've combined spread with my own tool, image garden. The tool provides
off-the-shelf images, constructed on-the-fly from freely available images, and
makes them easily available to spread.
The reason for doing it this way is so that using non-free cloud systems is not
required and anyone can repeat the test process locally, on their own computer.
Vanilla spread is somewhat limited to x86-64 systems but the way I've used it
here makes it equally possible to test x86_64 *and* aarch64 systems. I've done
most of the development on an ARM single-board-computer running on my desk.
Spread requires a top-level spread.yaml file and a collection of task.yaml
files that describe individual tasks (for us, those are just tests). Tasks have
no implied dependency except that to reach a given task, spread will run all
the _prepare_ statements leading to that task, starting from the project, test
suite and then task. With proper care one can then run a specific individual
test with a one-line command, for example:
```
spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
```
This will prepare a fresh ubuntu-cloud-24.04 system (matching the CPU
architecture of the host), copy the project tree into the test machine, install
all the build dependencies, build all the parts of apparmor and then run one
specific variant of the regression test, namely the at_secure program.
Importantly the same test can also run on, say debian-cloud-13 (Debian Trixie),
but also, if you have a Google cloud account, on Google Compute Engine or in
one of the other backends either built into spread or available as a fork of
spread or as a helper for ad-hoc backend. Spread can also create more than one
worker per system and distribute the tests to all of the available instances.
In no way are we locking ourselves out of the ability to run our test suite on
our target of choice.
Spread has other useful switches, such as:
- `-reuse` for keeping machines around until discarded with -discard
- `-resend` for re-sending updated copy of the project (useful for -reuse)
- `-debug` for starting an interactive shell on any failure
- `-shell` for starting an interactive shell instead of the `execute` phase
This first patch contains just the spread elements, assuming that both spread
and image-garden are externally installed. A GitLab continuous integration
installing everything required and running a subset of tests will follow
shortly.
I've expanded the initial selection of systems to allow running all the tests
on several versions of Ubuntu, Debian and openSUSE, mainly as a sanity check
but also to showcase how practical spread is at covering real-world systems.
A number of systems and tests are currently failing:
- garden:debian-cloud-12:tests/regression/apparmor:attach_disconnected
- garden:debian-cloud-12:tests/regression/apparmor:deleted
- garden:debian-cloud-12:tests/regression/apparmor:unix_fd_server
- garden:debian-cloud-12:tests/regression/apparmor:unix_socket_pathname
- garden:debian-cloud-13:tests/regression/apparmor:attach_disconnected
- garden:debian-cloud-13:tests/regression/apparmor:deleted
- garden:debian-cloud-13:tests/regression/apparmor:unix_fd_server
- garden:debian-cloud-13:tests/regression/apparmor:unix_socket_pathname
- garden:opensuse-cloud-15.6:tests/regression/apparmor:attach_disconnected
- garden:opensuse-cloud-15.6:tests/regression/apparmor:deleted
- garden:opensuse-cloud-15.6:tests/regression/apparmor:e2e
- garden:opensuse-cloud-15.6:tests/regression/apparmor:unix_fd_server
- garden:opensuse-cloud-15.6:tests/regression/apparmor:unix_socket_pathname
- garden:opensuse-cloud-15.6:tests/regression/apparmor:xattrs_profile
- garden:opensuse-cloud-tumbleweed:tests/regression/apparmor:attach_disconnected
- garden:opensuse-cloud-tumbleweed:tests/regression/apparmor:deleted
- garden:opensuse-cloud-tumbleweed:tests/regression/apparmor:unix_fd_server
- garden:opensuse-cloud-tumbleweed:tests/regression/apparmor:unix_socket_pathname
- garden:ubuntu-cloud-22.04:tests/regression/apparmor:attach_disconnected
In addition, only on openSUSE, I've skipped the entire test suite of the utils
directory, as it requires python3 ttk themes, which I cannot find in packaged
form.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit cc04181578)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The new check-one-test-% pattern rule allows running individual test scripts.
This allows them to be tested in parallel across many Make worker threads or
across many distinct machines with spread.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 9588b06e0f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Tests #466 but is marked as expected fail due to that bug not being resolved.
Depends on !1441 which adds the xfail infrastructure to the parser equality testing framework, and should be rebased on top of master once that MR is merged.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1443
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e1d8bf1888)
currently the equality tests require the tests to PASS as known equality
or inequality. Add the ability to add tests that are a known problem
and are expected to fail the equality, or inequality test.
This is done by using
verify_binary_xequality
verify_binary_xinequality
This allows new tests to be added to document a known issue, without
having to develop the fix for the issue. The use of this facility
is expected to be temporary, so any test marked as xequality or
xinequality will be noisy but not fail the other tests until they
are fixed, at which point they will cause the tests to fail to
force them to be updated to the correct equality or inequality
test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1441
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 53e322b755)
currently the equality tests require the tests to PASS as known equality
or inequality. Add the ability to add tests that are a known problem
and are expected to fail the equality, or inequality test.
This is done by using
verify_binary_xequality
verify_binary_xinequality
This allows new tests to be added to document a known issue, without
having to develop the fix for the issue. The use of this facility
is expected to be temporary, so any test marked as xequality or
xinequality will be noisy but not fail the other tests until they
are fixed, at which point they will cause the tests to fail to
force them to be updated to the correct equality or inequality
test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b81ea65c1c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The regression test suite uses root with capabilities restricted in
several tests. This can cause the test suite to fail in weird and
confusing ways.
Add a test to check for DAC permissiosns from / to the testsuite
and abort running the tests with an error message if DAC permissions
are going to cause the test suite to fail.
Currently the test is pretty basic, but is better than nothing.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1411
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit c5b17d85ea)
The regression test suite uses root with capabilities restricted in
several tests. This can cause the test suite to fail in weird and
confusing ways.
Add a test to check for DAC permissiosns from / to the testsuite
and abort running the tests with an error message if DAC permissions
are going to cause the test suite to fail.
Currently the test is pretty basic, but is better than nothing.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 82e4b4ba00)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Using this version of make:
```
GNU Make 4.2.1
Built for x86_64-suse-linux-gnu
```
I'm not entirely sure why but the alternative syntax I've used works correctly.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 4caf0aff81)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This fixes the test to pass on openSUSE Tumbleweed, where the small size
prevented alloction of an inode for the `lost+found` directory:
```
garden:opensuse-cloud-tumbleweed .../tests/regression/apparmor# mkfs.ext2 -F -m 0 -N 10 /tmp/sdtest.32929-21402-6x826m/image.ext3
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 512 1k blocks and 8 inodes
Allocating group tables: done
Writing inode tables: done
ext2fs_mkdir: Could not allocate inode in ext2 filesystem while creating /lost+found
```
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 32ee85cef8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This fixes an error with Python 3.11:
```
test/test-parser-simple-tests.py:420:21: E502 the backslash is redundant between brackets
```
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 92fcdcab9e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Which is technically not POSIX and command -v works everywhere. This fixes
building and running the test suite on openSUSE Tumbleweed.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 4b0adc63f5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
On a test system without bison installed, make setup fails with:
/bin/sh: 1: bison: not found
/bin/sh: 1: test: -ge: unexpected operator
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit f58fe9cd52)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The file was quoted with the following space, making the test broken.
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
(cherry picked from commit 8c16fb2700)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Match Flags convert output to hex but don't restore after outputting
the flag resulting in following numbers being hex encoded. This
results in dumps that can be confusing eg.
rule: \d2 -> \x2 priority=1001 (0x4/0)< 0x4>
rule: \d7 -> \a priority=3e9 (0x4/0)< 0x4>
rule: \d10 -> \n priority=3e9 (0x4/0)< 0x4>
rule: \d9 -> \t priority=3e9 (0x4/0)< 0x4>
rule: \d14 -> \xe priority=1001 (0x4/0)< 0x4>
where priority=3e9 is the hex encoded priority 1001.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1419
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2e77129e15)
Match Flags convert output to hex but don't restore after outputting
the flag resulting in following numbers being hex encoded. This
results in dumps that can be confusing eg.
rule: \d2 -> \x2 priority=1001 (0x4/0)< 0x4>
rule: \d7 -> \a priority=3e9 (0x4/0)< 0x4>
rule: \d10 -> \n priority=3e9 (0x4/0)< 0x4>
rule: \d9 -> \t priority=3e9 (0x4/0)< 0x4>
rule: \d14 -> \xe priority=1001 (0x4/0)< 0x4>
where priority=3e9 is the hex encoded priority 1001.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a31343c5f7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Most `tests/regression/apparmor/*.sh` scripts contain
. $bin/prologue.inc
This will explode if one of the parent directories contains a space.
Minimized reproducer:
```
# cat test.sh
pwd=`dirname $0`
pwd=`cd $pwd ; /bin/pwd`
bin=$pwd
echo "pwd: $bin"
. $bin/prologue.inc
# ./test.sh
pwd: /tmp/foo bar
./test.sh: line 9: /tmp/foo: No such file or directory
```
Notice that test.sh tries to source `/tmp/foo` instead of `/tmp/foo bar/prologue.inc`.
The fix is to quote the prologue.inc path:
. "$bin/prologue.inc"
While on it, also fix other uses of $bin - directly and indirectly - by quoting them.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1418
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a422d2ea17)
... to avoid issues with spaces in a parent directory's name.
"Indirect uses" means usage of $bin via another variable, for example
`foo=$bin/whatever`
(cherry picked from commit 55db4af979)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... to avoid issues with spaces in a parent directory's name.
(cherry picked from commit 22cf88b7c7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Most `tests/regression/apparmor/*.sh` scripts contain
. $bin/prologue.inc
This will explode if one of the parent directories contains a space.
Minimized reproducer:
```
pwd=`dirname $0`
pwd=`cd $pwd ; /bin/pwd`
bin=$pwd
echo "pwd: $bin"
. $bin/prologue.inc
pwd: /tmp/foo bar
./test.sh: line 9: /tmp/foo: No such file or directory
```
Notice that test.sh tries to source `/tmp/foo` instead of `/tmp/foo bar/prologue.inc`.
The fix - as done in this commit - is to quote the prologue.inc path:
. "$bin/prologue.inc"
(cherry picked from commit e1972eb22f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of encoding permissions in the accept and accept2 tables
extended perms uses a permissions table and accept becomes an index
into the table.
Add the ability to dump the permissions table so that it can be
compared and debugged.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 45964d34e7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The chfa dump is missing information about the accept2 entry. The
accept2 information is necessary to help with debugging state machine
builds as accept2 is used to store quiet and audit information in the
old format or conditional information in the extended perms format.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 00dedf10ad)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The Makefile is missing some of its .h depenedncies causing compiles
to either fail or worse result in bad builds when rebuilding in an
already built tree.
Move the header dependencies into a variable and use it for each
target. While some targets don't need every include as a dependency
and this will result in unnecessary rebuilds in some cases, it makes
the Makefile cleaner, easier to maintain and makes sure a dependency
isn't accidentally missed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 7cc7f47424)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser recently changed how/where deny information is applied.
commit 1fa45b7c1 ("parser: dfa minimization prepare for extended
permissions") removed the implicit filtering of explicit denies during
the minimization pass. The implicit clear allowed the explicit
information to be carried into the minimization pass and merged with
implicit denies. The end result being a minimized dfa with the explicit
deny information available to be applied post minimization, and
then dropped later at permission encoding in the accept entries.
Extended permission however enable carrying explicit deny information
into the kernel to fix certain bugs like complain mode not being
able to distinguish between implicit and explicit deny rules (ie.
deny rules get ignored in complain mode). However keeping explicit
deny information when unnecessary result in a larger state machine
than necessary and slower compiles.
commit 179c1c1ba ("parser: fix minimization check for filtering_deny")
Moved the explicit apply_and_clear_deny() pass to before minimization
to restore mnimization's ability to create a minimized dfa with
explicit and implicit deny information merged but this also cleared
the explicit deny information that used to be carried through
minimization. This meant that when the deny information was applied
post minimization it resulted in the audit and quiet information
being cleared.
This resulted in the query_label tests failing as they are checking
for the expected audit infomation in the permissions.
Fixes: 179c1c1ba ("parser: fix minimization check for filtering_deny")
Bug: https://gitlab.com/apparmor/apparmor/-/issues/461
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1408
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit eb365b374d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
If a user specifies a non-existing file to merge into the profiles
(`aa-mergeprof /file/not/found`), this results in a backtrace showing an
AppArmorBug because that file unsurprisingly doesn't end up in the
active_profiles filelist.
Handle this more gracefully by adding a read_error_fatal parameter to
read_profile() that, if set, forwards the exception. With that,
aa-mergeprof doesn't try to list the profiles in this non-existing file.
Note that all other callers of read_profile() continue to ignore read
errors, because aborting just because a single file in /etc/apparmor.d/
(for example a broken symlink) isn't readable would be a bad idea.
This bug was introduced in 4e09f315c3, therefore I propose this patch for 3.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1403
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5ebbe788ea)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Bash will try to read the passwd database to find the shell of a user if
$SHELL is not set. This causes zgrep to trigger
```
apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
if called in a sanitized environment. As the functionality of zgrep is
not impacted by a limited Bash environment, add deny rules to avoid the
potentially misleading AVC messages.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
(cherry picked from commit 48483f2ff8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of always storing the name of the main profile, store the child
profile/hat name if we are in a child profile or hat.
As a result, we always get the correct "profile xy" header even for
child profiles when dumping the ProfileStorage object.
Also extend the tests to check that the name gets stored correctly.
(cherry picked from commit cb943e4efc)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is neeed for "inherit owner = yes" in smb.conf.
From man smb.conf:
inherit owner (S)
The ownership of new files and directories is normally governed by
effective uid of the connected user. This option allows the Samba
administrator to specify that the ownership for new files and
directories should be controlled by the ownership of the parent
directory.
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1234327
I propose this fix for 3.x, 4.x and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1456
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a315d89a2b)
d3050285 smbd: allow capability chown
Co-authored-by: John Johansen <john@jjmx.net>
I am upstreaming this patch that is part of the nix package of apparmor for close to a year now.
This fixes the issue at https://github.com/NixOS/nixpkgs/issues/273164 for more distros than just NixOS.
The original merge Request on the nix side patching this was https://github.com/NixOS/nixpkgs/pull/285915.
However, people had issues with gitlab, so this never hit apparmor upstream until now. This does however also mean this patch has seen production and seems to work quite well.
## Original reasoning/message of the patch author:
This check is intended for ensuring that the profiles file can actually
be opened. The *actual* check is performed by the shell, not the read
utility, which won't even be executed if the input redirection (and
hence the test) fails.
If the test succeeds, though, using `read` here might actually
jeopardize the test result if there are no profiles loaded and the file
is empty.
This commit fixes that case by simply using `true` instead of `read`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1438
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 93c7035148)
b4aa00de aa-remove-unknown: fix readability check
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Seen on various VMs, my guess is that bash wants to translate a uid to a
username.
Log events (slightly shortened)
apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I propose this patch for 3.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1357
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ab16377838)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When the find fails but the insertion also fails, we leak the new node
that we generated. Delete the new node in this case to avoid leaking
memory.
The question remains, however, as to whether we should implement `operator==` in addition to `operator<` so that they are consistent with each other and `find` works correctly.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1399
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 99261bad11)
Signed-off-by: John Johansen <john.johansen@canonical.com>
As I have read multiple MR mentioning the `nameservice-strict`. Therefore, I thought it would make sense to directly import it here.
To give some context, this abstraction is probably the most commonly included abstraction (after `base`). In `apparmor.d`, it is used by over 700 profiles (only counting direct import). Therefore, adding new rules can have an important impact over a lot of profiles.
Note: the abstraction is a direct import from https://gitlab.com/roddhjav/apparmor.d. The license is the same, I obviously kept Morfikov copyright line. However, I am not sure either or not the SPDX identifier can be used here.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1368
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 68376e7fee)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 1fa45b7c1 ("parser: dfa minimization prepare for extended
permissions") removed implicit filtering of explicit denies in the
minimization pass (the information was ignored in building the set of
final accept states).
The filtering of explicit denies reduces the size of the produced
dfa. Since we need to be smarter about when explicit denies are
kept (eg. during complain mode), and most dfas are limited to 65k
states we currently need to filter explicit deny perms by default.
To compensate commit 2737cb2c2 ("parser: minimization - remove
unnecessary second minimization pass") moved the
apply_and_clear_deny() to before minimization. However its check to
apply removal denials before minimization is broken. Remove minimization
triggering apply_and_clear_deny() and just set the FILTER_DENY flag
by default, until we have better selection of rules/conditions where
explicit deny information should be carried through to the backend.
Fixes: 2737cb2c2 ("parser: minimization - remove unnecessary second minimization pass")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1397
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e9d6e0ba14)
Signed-off-by: John Johansen <john.johansen@canonical.com>
io_uring and userns mediation are encoding permissions on the class
byte. This is a mistake that should never have been allowed.
With the addition of rule priorities the class byte mediates rule,
that ensure the kernel can determine a class is being mediated is
given the highest priority possible, to ensure class mediation can not
be removed by a deny rule. See
61b7568e1 ("parser: bug fix mediates_X stub rules.")
for details.
Unfortunately this breaks rule classes that encode permissions on the
class byte, because those rules will always have a lower priority and
the class mediates rule will always be selected over them resulting in
only the class mediates permission being on the rule class state.
Fix this by adding the mediaties class rules for these rule classes
with the lowest priority possible. This means that any rule mediating
the class will wipe out the mediates class rule. So add a new mediates
class rule at the same priority, as the rule being added.
This is a naive implementation and does result in more mediates rules
being added than necessary. The rule class could keep track of the
highest priority rule that had been added, and use that to reduce the
number of mediates rules it adds for the class.
Technically we could also get away with not adding the rules for allow
rules, as the kernel doesn't actually check the encoded permission but
whether the class state is not the trap state. But it is required with
deny rules to ensure the deny rule doesn't result in permissions being
removed from the class, resulting in the kernel thinking it is
unmediated. We also want to ensure that mediation is encoded for other
rule types like prompt, and in the future the kernel could check the
permission so we do want to guarantee that the class state has the
MAY_READ permission on it.
Note: there is another set of classes (file, mqueue, dbus, ...) which
encodes a default rule permission as
class .* <perm>
this encoding is unfortunate in that it will also add the permission
to the class byte, but also sets up following states with the permission.
thankfully, this accespt anything, including nothing generally isn't
valid in the nothing case (eg. a file without any absolute name). For
this set of classes, the high priority mediates rule just ensures
that the null match case does not have permission.
Fixes: 61b7568e1 parser: bug fix mediates_X stub rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1307
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b6e9df3495)
Signed-off-by: John Johansen <john.johansen@canonical.com>
af_protos.h is a generated table of the protocols created by looking
for definitions of IPPROTO_* in netinet/in.h. Depending on the
architecture, the order of the table may change when using -dM in the
compiler during the extraction of the defines.
This causes an issue because there is more than one IPPROTO defined
by the value 0: IPPROTO_IP and IPPROTO_HOPOPTS which is a header
extension used by IPv6. So if IPPROTO_HOPOPTS was first in the table,
then protocol=0 in the audit logs would be translated to hopopts.
This caused a failure in arm 32bit:
Output doesn't match expected data:
--- ./test_multi/testcase_unix_01.out 2024-08-15 01:47:53.000000000 +0000
+++ ./test_multi/out/testcase_unix_01.out 2024-08-15 23:42:10.187416392 +0000
@@ -12,7 +12,7 @@
Peer Addr: @test_abstract_socket
Network family: unix
Socket type: stream
-Protocol: ip
+Protocol: hopopts
Class: net
Epoch: 1711454639
Audit subid: 322
By the time protocol is resolved in grammar.y, we don't have have
access to the net family to check if it's inet6. Instead of making
protocol dependent on the net family, make the order of the
af_protos.h table consistent between architectures using -dD.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1309
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 0ec0e2b035)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This enables adding a priority to a rules in policy.
Rules have a default priority of 0. The priority prefix can be added
before the other currently support rule prefixes, ie.
[priority prefix][audit qualifier][rule mode][owner]
If present a numerical priority can be assigned to the rule, where the
greater the number the higher the priority. Eg.
priority=1 audit file r /etc/passwd,
priority=-1 deny file w /etc/**,
Rule priority allows the rule with the highest priority to completely
override lower priority rules where they overlap. Within a given
priority level rules will accumulate in standard apparmor fashion.
Eg. given
priority=1 w /*c,
priority=0 r /a*,
priority=-1 k /*b*,
/abc, /bc, /ac .. will have permissions of w
/ab, /abb, /aaa, .. will have permissions of r
/b, /bcb, /bab, .. will have permissions of k
User specified rule priorities are currently capped at the arbitrary
values of 1000, and -1000.
Notes:
* not all rule types support the priority prefix. Rukes like
- network
- capability
- rlimits
need to be reworked to properly preserve the policy rule structure.
* this patch does not support priority on rule blocks
* this patch does not support using a variable in the priority value.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1261
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
the ix portion of file, causes x conflicts in regular priority. The
long term goal is to fix this by using dominance for x rules. But in
the mean time we can fix by giving the ix portion of the rule a
reduced priority.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This enables adding a priority to a rules in policy, finishing out the
priority work done to plumb priority support through the internals in
the previous patch.
Rules have a default priority of 0. The priority prefix can be added
before the other currently support rule prefixes, ie.
[priority prefix][audit qualifier][rule mode][owner]
If present a numerical priority can be assigned to the rule, where the
greater the number the higher the priority. Eg.
priority=1 audit file r /etc/passwd,
priority=-1 deny file w /etc/**,
Rule priority allows the rule with the highest priority to completely
override lower priority rules where they overlap. Within a given
priority level rules will accumulate in standard apparmor fashion.
Eg. given
priority=1 w /*c,
priority=0 r /a*,
priority=-1 k /*b*,
/abc, /bc, /ac .. will have permissions of w
/ab, /abb, /aaa, .. will have permissions of r
/b, /bcb, /bab, .. will have permissions of k
User specified rule priorities are currently capped at the arbitrary
values of 1000, and -1000.
Notes:
* not all rule types support the priority prefix. Rukes like
- network
- capability
- rlimits need to be reworked
need to be reworked to properly preserve the policy rule structure.
* this patch does not support priority on rule blocks
* this patch does not support using a variable in the priority value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently mediates_X stub rules are added to the dfa to ensure a valid
transition state will exist if X should be mediated. The kernel uses
this to test whether the dfa supports certain mediation classes.
Unfortunately the mediates stub rules can be removed by other rules,
combined with minimization. In the allow case this is not a problem,
as if the stub rule is removed it will be due to state merging and the
test will still be valid. Unfortunately the deny case can wipe out the
stub rule in a couple of cases, meaning the when the kernel tests that
its in a valid state for mediation it will fail and treat the dfa as
not mediating the rule type, which results in allowing instead of
denying.
Fix this by making sure mediated stub rules can't be overridden by a
deny rule by giving them maximum priority.
Note: there is another issue with stub rule elimination in the allow
case. It will can cause equality tests to fail when combined
with priority rules, because the stub rules where added at
priority 0 and an actual rule of higher priority could
completely override it removing the permission on the stub rule.
This issue will be caught by the equality.sh tests in the
following patch that exposes priority to rules in policy.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The prefix comparison doesn't need to do as many operations as it is
doing, and the operator< can be based on the cmp() fn further reducing
the chance that the code will get out of sync if prefixes are changed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
the parser front end boolean is used for both boolean and integer
values. This is confusing when integer values different than 1 or 0
are being assigned to and from boolean.
Split its uses into the correct semantic boolean and integer cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently use of extended perms are dependent on prompt rules being present
in policy. Switch to using extended perms if they are supported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Moving apply_and_clear_deny() before the first minimization pass, which
was necessary to propperly support building accept information for
older none extended permission dfas, allows us to also get rid of doing a
second minimization pass if we want to force clearing explicit deny
info from extended permission tables.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of compressing the permission set into 128 bit and using that
as the index in the permission map, just use the permissions directly
as the index into the permission map.
Note: this will break equality and minimization tests. Because deny
is not being cleared it will result in more partitions in the initial
setup. This will be addressed and the tests will be fixed in a follow
on patch.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Hash minimization was removed in
f0b154528 Fix dfa minimization
however some remnants of minimization remained. A comment and the use
of the hash but only as a 0 value. Drop this dead code and comment.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The hfa stores next/check transitions in 16 bit fields to reduce memory
usage. However this means the state machine can on contain 2^16
states.
Allow the next/check tables to be 32 bit. This theoretically could allow
for 2^32 states however the base table uses the top 8 bits as flags
giving us only 2^24 bits to index into the next/check tables. With
most states having at least 1 transition this effectively caps the
number of states at 2^24.
To obtain 2^32 possible states a flags table needs to be added. Add
a skeleton around supporting a flags table, so we can note the remaining
work that needs to be done. This patch will only allow for 2^24 states.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/419
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1303
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The hfa stores next/check transitions in 16 bit fields to reduce memory
usage. However this means the state machine can on contain 2^16
states.
Allow the next/check tables to be 32 bit. This theoretically could allow
for 2^32 states however the base table uses the top 8 bits as flags
giving us only 2^24 bits to index into the next/check tables. With
most states having at least 1 transition this effectively caps the
number of states at 2^24.
To obtain 2^32 possible states a flags table needs to be added. Add
a skeleton around supporting a flags table, so we can note the remaining
work that needs to be done. This patch will only allow for 2^24 states.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/419
Signed-off-by: John Johansen <john.johansen@canonical.com>
Older kernels do not support an xtable grouped with the policy dfa.
The presence of a policy.dfa does not indicate whether we should create
an xtable with the policy dfa.
Instead the check should be if the kernel supports the extended
permstable32 format.
Signed-off-by: John Johansen <john.johansen@canonical.com>
__uint128 is not supported by gcc on 32 bit architectures so rework
the 128 bit map key to be a pair of 64bit numbers.
Signed-off-by: John Johansen <john.johansen@canonical.com>
switch permission bits to use perm32_t type. This is just annotating
the code as it is no different than uint32_t at this time.
We do not convert the accept values as they may be mapped permission
bits or they may be and index value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The use of xbits can not pass verification so we need to leave them
off this makes the profile a leaf profile.
Signed-off-by: John Johansen <john.johansen@canonical.com>
v1 of permstable32 has some broken verification checks. By using two
copies of a merged dfa and an xtable the same size of the permstable
we can work around the issue.
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are two distinct declarations of perms_t.
rule.h: typedef uint32_t perms_t
hfa.h: class perms_t
these definitions clash when the front end and backend share more info.
To avoid this rename rule.h to perm32_t, and move the definition into
perms.h and use it in struct aa_perms.
Signed-off-by: John Johansen <john.johansen@canonical.com>
If extended permissions are supported use them. We need to build a
permission table and set the accept state of the chfa up as an index
into the table.
For now map the front end permission layout into the old format and
then convert that to the perms table just as the kernel does.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to parse the prompt qualifier but do not provide
functionality because the backend does not currently support prompt
permissions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Remove conditional logic from the parser and move it to its own class,
that way any improvements or conditional features will make cleaner
changes.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
I couldn't figure out why the show info window was using a different
font color than the theme default but this forces its use.
Also, add padding when "Show Current Profile" button is not shown.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
In this change, I'm also removing the messagebox window and reusing
the more info GUI already implemented
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
aa-notify: Enhanced Graphical User Interfaces
- Added support for --prompt-filter=userns: a popup GUI now appears when an unprivileged, unconfined process attempts to create a user namespace, enabling automatic generation of specific unconfined profiles.
- Added GUIs for easy rule addition.
- Upgraded notifications to two-button format, enabling extended information display and direct rule addition.
- Initial support for customized notification messages based on rule type.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1281
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Code assumes full username would be printed, but this actually requires an extra command line option:
Please double check that this is the only place where `last` is called as a binary before merging this MR.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1293
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
POSIX states that d_name has up to NAME_MAX (255) characters, and glibc
stores d_name as an array of size NAME_MAX+1 (256). Thus, supplying
PATH_MAX (4096) as the max length could trigger a buffer overrun. This
could be an even bigger issue on other libcs, as POSIX states that d_name
can be unsized.
Fortunately, this does not seem to cause actual issues, as the length is
only used to compare d_name to a short fixed string. However, it'd be better
to pass the actual correct max length to strnlen.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1290
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
POSIX states that d_name has up to NAME_MAX (255) characters, and glibc
stores d_name as an array of size NAME_MAX+1 (256). Thus, supplying
PATH_MAX (4096) as the max length could trigger a buffer overrun. This
could be an even bigger issue on other libcs, as POSIX states that d_name
can be unsized.
Fortunately, this does not seem to cause actual issues, as the length is
only used to compare d_name to a short fixed string. However, it'd be better
to pass the actual correct max length to strnlen.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The linkage of aa-load with the dynamic libapparmor fails with:
aa_load.c:273: undefined reference to `aa_split_overlay_str'
That is because when aa_split_overlay_str was added to libapparmor,
the function was not added to the library map.
Fixes: 50054ff0 ("add aa_split_overlay_str")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1288
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The linkage of aa-load with the dynamic libapparmor fails with:
aa_load.c:273: undefined reference to `aa_split_overlay_str'
That is because when aa_split_overlay_str was added to libapparmor,
the function was not added to the library map.
Fixes: 50054ff0 ("add aa_split_overlay_str")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commonly used by applications to determine if Linux is running in
FIPS mode. As we already allow access to FIPS specific library files
as part of base, allow this there as well.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
If the test ran under a fs mounted with nosuid option, then these bits
would be ignored and the test would fail. In that case, detect it and
run the test in a tmpfs mountpoint without nosuid.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When /tmp is of type tmpfs, the test didn't run because you can't
mount a swapfile on it. This patch mounts an ext2 mountpoint on
$tmpdir so that the swapfile can be mounted on top of it instead of
tmpfs.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When /tmp is mounted, remounting / as private for tests that don't
work when shared still fail because /tmp remains as shared. The option
-T in findmnt helps determine the mountpoint in a certain directory,
so use that with $tmpdir to determine the root.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The tests that use pivot_root or move mountpoints with mount have to
make sure that / is private for the tests to work. Refactor that logic
into a file to be sourced by the test scripts
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The abi is not being respected by mqueue rules in many cases. If policy
does ot specify an mqueue rule the abi is correctly applied but if
an mqueue rule is specified explicitly or implicitly (eg. allow all).
without setting the mqueue type OR setting the mqueue type to sysv.
The abi will be ignored and mqueue will be enforced for policy regadless.
Known good mqueue rule that respects abi
mqueue type=posix,
# and all variations that keep type=posix
Known bad mqueue rules that do not respect abi
mqueue,
# and all variants that do not specify the type= option
mqueue type=sysv,
# and all variants that specify the type=sysv option
Issue: https://gitlab.com/apparmor/apparmor/-/issues/412
Fixes: d98c5c4cf ("parser: add parser support for message queue mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1277
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The kernel does not expect a name and it is not used even within the
parser so drop it. Correct the padding calculation.
sizeof(th_version)
includes the trailing \0 in the count so we should not be adding it
explicitly. Doing so made it seem like we were writing an extra byte
and messing things up, because the string write below did not include
the \0 which we had to add explicitly.
Switch to writing the th_version using size_of() bytes as is used in
the pad calculation, to avoid confusion around the header padding.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The abi is not being respected by mqueue rules in many cases. If policy
does ot specify an mqueue rule the abi is correctly applied but if
an mqueue rule is specified explicitly or implicitly (eg. allow all).
without setting the mqueue type OR setting the mqueue type to sysv.
The abi will be ignored and mqueue will be enforced for policy regadless.
Known good mqueue rule that respects abi
mqueue type=posix,
# and all variations that keep type=posix
Known bad mqueue rules that do not respect abi
mqueue,
# and all variants that do not specify the type= option
mqueue type=sysv,
# and all variants that specify the type=sysv option
Issue: https://gitlab.com/apparmor/apparmor/-/issues/412
Fixes: d98c5c4cf ("parser: add parser support for message queue mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>
`execpath` allows to reliably store the path of the binary that triggered a log.
This is useful because comm was not sufficient to reliably identify a binary
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This reverts commit 78ae956087.
Commit 78ae956087 causes policy to not
to conform to protocol as determined by the kernel. Technically the
reverted patch is correct and the kernel is wrong but we can not
change 15 years of history.
The reason it breaks the policy in the kernel is because the kernel
does not use the name field, and does not expect it. It just expects
the size with a single trailing 0. This doesn't break because this
section is all padded to 64 bytes so writing the extra 0 doesn't
hurt as it is effectively just manually adding to the padding.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some applications using the bwrap profile don't function properly due to "Failed name lookup - deleted entry". The following denials trying to start flatpak KeePassXC is an example showing that it happens for both bwrap and unpriv_bwrap profiles:
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/\*\*\*\*/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/**/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/**/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Fixes: https://launchpad.net/bugs/2072811
I propose this fix for master and apparmor-4.0
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1272
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Without AA_MAY_MOUNT, mount was not allowed by the allow all
rule. AA_DUMMY_REMOUNT does become AA_MAY_MOUNT, but it fixes the
flags to remount only, so other options are not included. Also, add
allow all rule testcases to the mount regression tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
By specifying 0 in the unix type, all rules were allowing only the
"none" type, when it wanted to allow all types, so replace it by
0xffffffff. Also, add this testcase to the unix regression tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Some applications using the bwrap profile don't function properly due
to "Failed name lookup - deleted entry". The following denials trying
to start flatpak KeePassXC is an example showing that it happens for
both bwrap and unpriv_bwrap profiles:
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Fixes: https://launchpad.net/bugs/2072811
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Saw these couple of accesses fail recently on my Ubuntu 22.04 system:
`Jun 3 15:29:24 darkstar kernel: [5401883.070129] audit: type=1107 audit(1717442964.884:9223): pid=729 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/UPower" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.28" pid=2164500 label="firefox" peer_pid=2502 peer_label="unconfined"`
`Jun 3 15:29:24 darkstar kernel: [5401883.070588] audit: type=1107 audit(1717442964.884:9224): pid=729 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/UPower" interface="org.freedesktop.UPower" member="EnumerateDevices" mask="send" name=":1.28" pid=2164500 label="firefox" peer_pid=2502 peer_label="unconfined"`
Also, I noticed that the `firefox` profile in the Ubuntu 24.04 package has a rule for `/etc/writable/timezone` that is not present in Git. Figured that should be in here.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/409Closes#409
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1253
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This is needed to avoid a "Conflicting profiles" error if there are two
profiles for an application, with one of them disabled.
This is not a theoretical usecase - for example, apparmor.d ships some
profiles that replace our "userns+unconfined" profiles. These profiles
use a different filename, and apparmor.d also creates a disable symlink
for the "userns+unconfined" profile it replaces.
I propose this patch for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1264
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... and not only for events in missing hats.
This fixes a crash if the log contains exec events for a hat where not
even the parent profile exists.
I propose this patch for master, 4.0 and 3.1.
(In 3.0, `aa` is still a `hasher` which avoids the crash, therefore it doesn't really need this patch.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1265
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Contrary to what the name would imply aa-unconfined displays info for
both confined and unconfined processes. Add a --short option that only
output processes that are not confined. Eg.
$ ./utils/aa-unconfined
17192 /snap/chromium/2890/usr/lib/chromium-browser/chrome (/snap/chromium/2890/usr/lib/chromium-browser/chrome --password-store=basic --disable-features=TFLiteLanguageDetectionEnabled) confined by 'snap.chromium.chromium (enforce)'
17395 /snap/chromium/2890/usr/lib/chromium-browser/chrome (/snap/chromium/2890/usr/lib/chromium-browser/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --crashpad-handler-pid=17337 --enable-crash-reporter=,snap --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,16674663885832976354,18417931519279121981,262144 --disable-features=TFLiteLanguageDetectionEnabled --variations-seed-version) confined by 'snap.chromium.chromium (enforce)'
17981 /snap/firefox/4451/usr/lib/firefox/firefox confined by 'snap.firefox.firefox (enforce)'
1353664 /tmp/.mount_OrcaSl7G1va5/bin/orca-slicer not confined
is trimmed to
$ ./utils/aa-unconfined --short
1353664 /tmp/.mount_OrcaSl7G1va5/bin/orca-slicer not confined
Signed-off-by: John Johansen <john.johansen@canonical.com>
The prompt/user upcall mode shows up as a mode of (user). And for
stacked policy with different modes (mixed) is used. Add these to the
list of modes to screen.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to list applications that are unconfined and have
any open network socket open, both listening and non-listening.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the abiity to list applications that are unconfined and have
open connection ports that are not listening.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The documentation of --paranoid is wrong. It lists all processes and
does not exclude based on whether it has a network port open.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed to avoid a "Conflicting profiles" error if there are two
profiles for an application, with one of them disabled.
This is not a theoretical usecase - for example, apparmor.d ships some
profiles that replace our "userns+unconfined" profiles. These profiles
use a different filename, and apparmor.d also creates a disable symlink
for the "userns+unconfined" profile it replaces.
* UnixRule: Fix handling of peers with a ? and peers that are/need to be quoted
`?` is a valid AARE char, add it to the regexes that match the AARE.
Also add some tests to ensure this is really fixed, and make the error
output of the tests more useful/verbose.
* Fix handling of quoted peers in UnixRule (and others)
In UnixRule (and probably also in other rules that use
print_dict_values()` and `initialize_cond_dict()`), the handling of
peers with a value that is quoted and/or needs to be quoted was broken
because
- quotes didn't get stripped in `initialize_cond_dict()`
- `print_dict_values()` didn't use `quote_if_needed()`
Note: print_dict_values also handles integers (like network ports).
Convert them to a string so that `if ' ' in data` in `quote_if_needed()`
doesn't explode.
Also enable the test that uncovered this bug.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/404Closes#404
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1262
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
In UnixRule (and probably also in other rules that use
print_dict_values()` and `initialize_cond_dict()`), the handling of
peers with a value that is quoted and/or needs to be quoted was broken
because
- quotes didn't get stripped in `initialize_cond_dict()`
- `print_dict_values()` didn't use `quote_if_needed()`
Note: print_dict_values also handles integers (like network ports).
Convert them to a string so that `if ' ' in data` in `quote_if_needed()`
doesn't explode.
Also enable the test that uncovered this bug.
`?` is a valid AARE char, add it to the regexes that match the AARE.
Also add some tests to ensure this is really fixed, and make the error
output of the tests more useful/verbose.
Note: One of the added tests (with a space in the peer name) uncovered a
bug in quote handling. This will be fixed in the next commit.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/404
Update the state machine readme to better reflect how the chfa is
encoded and works. It still needs a lot more but fixes several errors
in the doc and adds some info about state differential encoding, oobs,
and comb compression.
In addition fix an off by own error during chfa encoding. This has
likely never triggered as it gets hidden by being in a section that
is being in a section that is padded to an 8 byte boundary.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1244
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Expression simplification can get into an infinite loop due to eps
pairs hiding behind and alternation that can't be caught by
normalize_eps() (which exists in the first place to stop a similar
loop).
The loop in question happens in AltNode::normalize when a subtree has
the following structure.
1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
2. if (normalize_eps(dir)) results in
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
alt alt
/\ /\
/ \ / \
/ \ / \
eps eps eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
5. if (normalize_eps(dir)) results in
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
back to beginning of cycle
Fix this by detecting the creation of an eps_pair in rotate_node(),
that pair can be immediately eliminated by simplifying the tree in that
step.
In the above cycle the pair creation is caught at step 3 resulting
in
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
which gets reduced to
alt
/\
/ \
/ \
eps eps
breaking the normalization loop. The degenerate alt node will be caught
in turn when its parent is dealt with.
This needs to be backported to all releases
Closes: https://gitlab.com/apparmor/apparmor/-/issues/398
Fixes: 846cee506 ("Split out parsing and expression trees from regexp.y")
Reported-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#398
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1252
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Expression simplification can get into an infinite loop due to eps
pairs hiding behind and alternation that can't be caught by
normalize_eps() (which exists in the first place to stop a similar
loop).
The loop in question happens in AltNode::normalize when a subtree has
the following structure.
1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
2. if (normalize_eps(dir)) results in
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
alt alt
/\ /\
/ \ / \
/ \ / \
eps eps eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
5. if (normalize_eps(dir)) results in
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
back to beginning of cycle
Fix this by detecting the creation of an eps_pair in rotate_node(),
that pair can be immediately eliminated by simplifying the tree in that
step.
In the above cycle the pair creation is caught at step 3 resulting
in
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
whch gets reduces to
alt
/\
/ \
/ \
eps eps
breaking the normalization loop. The degenerate alt node will be caught
in turn when its parent is dealt with.
This needs to be backported to all releases
Closes: https://gitlab.com/apparmor/apparmor/-/issues/398
Fixes: 846cee506 ("Split out parsing and expression trees from regexp.y")
Reported-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adding mediation classes in unconfined profiles caused nested profiles
to be mediated, inside a container for example.
As a first step, skip the addition of mediation classes into the dfa.
The creation of unprivileged user namespaces is an exception, where we
always want to mediate it.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2067900
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
technically a # leading a value in an assignment expression is allowed,
however people are also using it to a comment at the end of a line.
ie.
```
@{var1}=value1 # comment about this value or for a given system
```
this unsurprisingly leads to odd/unexpected behavior when the variable
is used.
```
allow rw /@{var1},
```
expands into
```
allow rw /{value1,#,comment,about,this,value,or,for,a,given,system},
```
change a leading # of a value in an assignment expression to a comment.
If the # is really supposed to lead the value, require it to be escaped
or in quotes.
ie.
```
@{var1}=value1 \#not_a_comment
```
Note: this could potentially break som policy if the # was used as the
leading character for a value in an assignment expression, but
is worth it to avoid the confusion.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1255
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The parser writes
sizeof(th)) + th_version + (char)0 + name + (char)0;
but the padding currently is computed as
sizeof(th)) + th_version + name + (char)0;
missing the internal (char)0, add 1 to the pad and fill to ensure
this is correct.
Reported-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Update the state machine readme to better reflect how the chfa is
encoded and works. It still needs a lot more but fixes several errors
in the doc and adds some info about state differential encoding, oobs,
and comb compression.
Signed-off-by: John Johansen <john.johansen@canonical.com>
technically a # leading a value in an assignment expression is allowed,
however people are also using it to a comment at the end of a line.
ie.
@{var1}=value1 # comment about this value or for a given system
this unsurprisingly leads to odd/unexpected behavior when the variable
is used.
allow rw /@{var1},
expands into
allow rw /{value1,#,comment,about,this,value,or,for,a,given,system},
change a leading # as value in an assignment expression to a comment.
If the # is really supposed to lead the value, require it to be escaped
or in quotes.
ie.
@{var1}=value1 \#not_a_comment
Note: this could potentially break som policy if the # was used as the
leading character for a value in an assignment expression, but
is worth it to avoid the confusion.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similarly to https://gitlab.com/apparmor/apparmor/-/merge_requests/689, use the
global CFLAGS when building Python library, so we honor extra flags set by
distributions, such
as -fstack-protector-strong -fstack-clash-protection -Werror=format-security -fcf-protection.
Spotted by blhc on Debian.
Gbp-Pq: Name Honor-global-CFLAGS-when-building-Python-library.patch
This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:
```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1246
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:
```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
aa-remove-unknown doesn't deal properly with profiles that contain
spaces in their names.
Using profile "MongoDB Compass" as an example, awk's sub returns the
number of matches - either 1 or 0 and replaces the actual string ($0)
with the substitution. By accessing the return of sub with $, awk
would be accessing $1 which would return only "MongoDB".
Fix this by using $0 instead of $str.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#395
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1243
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
In the course of preparing !1207, I found that the validation rules in `profiles/Makefile` did not take kindly to the new `profiles/apparmor/profiles/extras/abstractions/` directory. I tried a couple rounds of quick fixes, but it became clear that the rules as currently written were just not amenable to the new addition, and needed more attention than I could give it by-the-by.
So I separated out that commit, and revised the makefile more thoroughly. The updated rules now rely more on `find(1)` than `$(wildcard)`, and have a number of [what I believe to be] small quality-of-life improvements. Taken together, `make check` passes cleanly with the new files from my other MR present.
One thing I noticed was that the profiles under `apparmor.d/` were not previously being checked for the `include if exists <local/*>` bit---only the ones under `extras/`. I've thus included a fix to the `sbuild-shell` profile, which fortunately was the only one that failed the check.
Note that at present, you'll get a couple of harmless `find: ‘./apparmor/profiles/extras/abstractions’: No such file or directory` errors when running the checks, since that directory won't appear until the other MR is merged. I figure, better to bear that for now, and not have to touch the makefile again later.
NOTE: The CI pipeline here will need to be updated to invoke the `check-local` target instead of `check-extras`. This target was renamed as it is no longer limited in scope to the profiles under `extras/`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1214
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
aa-remove-unknown doesn't deal properly with profiles that contain
spaces in their names.
Using profile "MongoDB Compass" as an example, awk's sub returns the
number of matches - either 1 or 0 and replaces the actual string ($0)
with the substitution. By accessing the return of sub with $, awk
would be accessing $1 which would return only "MongoDB".
Fix this by using $0 instead of $str.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
I propose this patch for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1240
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
... and tests for it.
This replaces the old code that just stores the full rule as text.
We also get rid of the old ['allow'] and ['deny'] items in
ProfileStorage, the handling of old write functions, and the last usage
of _Raw_Rule (and therefore _Raw_Rule itsself).
Also delete the old test-pivot_root_parse.py which relied on the ancient
code, and even used a wrong syntax in its test rules.
Oh, and aa-logprof can now ask about pivot_root events.
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1232
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1236
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
... for handling pivot_root rules.
This replaces the old code that just stores the full rule as text.
We also get rid of the old ['allow'] and ['deny'] items in
ProfileStorage, the handling of old write functions, and the last usage
of _Raw_Rule (and therefore _Raw_Rule itsself).
Also delete the old test-pivot_root_parse.py which relied on the ancient
code, and even used a wrong syntax in its test rules.
The following exceptions were added to flake8 since they have several
expected uses in the tools and their tests:
E501: Line lengths are recommended to be no greater than 79 characters.
E241: Multiple spaces after ','
W503: Line break occurred before a binary operator
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
ProfileStorage knows a whole profile, therefore it should also include the profile header in `__repr__()`.
Also add a test for this.
While on it, add a test for an invalid type change for a type that doesn't have special handling in `__setitem__()` to increase test coverage.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1233
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Since musl 1.2.5, basename(3) prototype is only provided in libgen.h
(as mandated by POSIX) and not in strings.h. Also there is a major
difference between the gnu basename and the one defined in libgen.h,
the latter modify the argument string making them incompatible.
Fix this by defining a portable version of basename using strchr.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1234
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Since musl 1.2.5, basename(3) prototype is only provided in libgen.h
(as mandated by POSIX) and not in strings.h. Also there is a major
difference between the gnu basename and the one defined in libgen.h,
the latter modify the argument string making them incompatible.
Fix this by defining a portable version of basename using strchr.
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
I propose this fix for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1229
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
Did some testing on a fresh post-release image of noble, and uncovered some new denials:
#### Xorg
`2024-05-06T19:55:36.782484-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715039736.765:174): apparmor="DENIED" operation="link" class="file" profile="Xorg" name="/tmp/.X0-lock" pid=1366 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 target="/tmp/.tX0-lock"`
#### chromium_browser
`2024-05-06T21:17:09.674963-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715040834.256:168): apparmor="DENIED" operation="userns_create" class="namespace" profile="chromium_browser" pid=2133 comm="chromium" requested="userns_create" denied="userns_create"`
#### firefox
`2024-05-06T21:33:09.387356-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045589.369:505): apparmor="DENIED" operation="userns_create" class="namespace" profile="firefox" pid=3610 comm="firefox" requested="userns_create" denied="userns_create"`
`2024-05-06T21:36:48.911280-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045808.884:682): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/fs/cgroup/user.slice/user-1000.slice/session-c2.scope/cpu.max" pid=4348 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
`2024-05-06T21:42:34.152955-04:00 image-ubuntu64 dbus-daemon[1628]: apparmor="DENIED" operation="dbus_bind" bus="session" name="org.mpris.MediaPlayer2.firefox.instance_1_82" mask="bind" pid=4348 label="firefox"`
#### Xorg (second commit)
I neglected to set `abi/4.0` when this went in originally. (I was using the profile on jammy, hence the `3.0`.)
Also, testing on an older laptop that *doesn't* support KMS revealed that Xorg needs some pretty serious permissions then. I've added them in commented-out form, with an explanatory comment. (The `#nokms#` bit is meant to simplify uncommenting those two lines mechanically, e.g. `sed -i 's/#nokms#//'`)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1227
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Balena Etcher runs in a degraded sandbox mode when unprivileged userns
is not available. Add an unconfined profile so it's properly
sandboxed.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Shellcheck is complaining that some of the functions are never called,
but they are called from rc.apparmor.functions, causing a false
positive.
This issue only appears in shellcheck version 0.9.0, which is the one
used in ubuntu 24.04, that's why it only failed in the pipeline now.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Since we are using ubuntu:latest, and noble was released, some tests
are failing.
shellcheck needs python3 to run, which was possibly installed by
default in previous ubuntu images and is no longer the case.
Ignore dist-packages python files during our coverage tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Rename the "check-extras" target to "check-local" as it is no longer
limited to the extra profiles, and also fix a local include in the
sbuild-shell profile so that it passes the newly-applied CI check.
Add a flag that allows setting the error code AppArmor will send when
an operation is denied. This should not be used normally.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This is a profile to contain the Xorg X11 server, which still runs as root in many scenarios (not least under [LightDM](https://github.com/canonical/lightdm/issues/18)).
I've tested this under every X display manager available in Debian/Ubuntu, as well as plain `startx(1)`. Both rootful and rootless modes are covered. The hardware I've tried this on predominantly uses Intel integrated graphics, with one Nouveau system represented. If someone has an Nvidia GPU running the proprietary driver, that would be a good data point to double-check, owing to the different driver architecture.
As you can see, I avoided going too far into the weeds enumerating everything the X server needs to run. The general pattern I found was that it needs read access to a lot of things, but write access to relatively few.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1075
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This updates the man page for the recent inet mediation patch.
This is an extension of MR 1202, it adds a patch that changes the anonymous ip address anon to be ip address none which is a better fit.
This patch adds documentation of the recent network changes which extended all network rules to support access permissions, and added address and port matching for inet and inet6 families.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1213
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
inet mediation allows specifying rules for sockets that don't have
a known address, whether because it is unbound or because the
kernel doesn't make the address available.
The current code uses the word anon for anonymous, but that has
proven to be unclear. Switch from using anon to none, to emphasize
that this is a case where there just isn't an address to use as
part of mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When a family is specified in the network rules, we have to make sure
the conditionals match the family. A netlink rule should not be able
to specify ip and port for local and remote (peer) sockets, for example.
When type or protocol is specified in network rules along with inet
conditionals, we should only generate rules for the families that
support those conditionals.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The bwrap and unshare profiles are special profiles in the same
vein as the unconfined profiles but they actual enforce restrictions
on the applications that are launched.
As such they have come to late in the 4.0 dev cycle to consider enabling
by default. Disable them but ship them so users or distros can easily
enable them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This adds a bwrap profile to allow it to function on a system with
user namespace restrictions enabled.
The child task of bwrap will enter into a profile without capabilities
thus preventing bwrap from being able to be used to arbitrarily
by-pass user namespace restrictions.
This profile does prevent applications launch with privilege (eg.
sudo bwrap ...) from functioning so it may break some use cases.
Note: The unpriv_bwrap profile is deliberately stacked against the
bwrap profile due to bwraps uses of no-new-privileges.
Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1205
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This adds a bwrap profile to allow it to function on a system with
user namespace restrictions enabled.
The child task of bwrap will enter into a profile without capabilities
thus preventing bwrap from being able to be used to arbitrarily
by-pass user namespace restrictions.
This profile does prevent applications launch with privilege (eg.
sudo bwrap ...) from functioning so it may break some use cases.
Note: The unpriv_bwrap profile is deliberately stacked against the
bwrap profile due to bwraps uses of no-new-privileges.
Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>
The version of tarball version of firefox downloaded from mozilla.org
installs to /opt/firefox/firefox. Support this location so that the
firefox from the tarball works.
Note this does not support running firefox from the users home directory
in this case the user must update the profile accordingly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1203
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This adds an unshare profile to allow it to function on a system
with user namespace restrictions enabled.
The child task of unshare will enter into a profile without capabilities
thus preventing unshare from being able to arbitrarily being used to
by-pass the user namespace restriction.
This profile does prevent applications launch with privilege (eg.
sudo unshare ...) from functioning so it may break some use cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The version of tarball version of firefox downloaded from mozilla.org
installs to /opt/firefox/firefox. Support this location so that the
firefox from the tarball works.
Note this does not support running firefox from the users home directory
in this case the user must update the profile accordingly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
In some cases, ldd might obtain information by executing the given
binary (see ldd(1)) - which is not something we should do on potentially
unknown binaries, especially because aa-genprof and aa-autodep (and
therefore also ldd) are often started as root.
Additionally, the ldd result typically listed libraries already covered
by abstractions/base, which makes the ldd call superfluous.
While on it,
- remove all references to ldd
- remove code only used for calling ldd and handling its results
- remove tests checking ldd results, and the fake_ldd script
- adjust a test where fake_ldd had added some libraries
- remove ldd path from logprof.conf [settings]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1201
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
In some cases, ldd might obtain information by executing the given
binary (see ldd(1)) - which is not something we should do on potentially
unknown binaries, especially because aa-genprof and aa-autodep (and
therefore also ldd) are often started as root.
Additionally, the ldd result typically listed libraries already covered
by abstractions/base, which makes the ldd call superfluous.
While on it,
- remove all references to ldd
- remove code only used for calling ldd and handling its results
- remove tests checking ldd results, and the fake_ldd script
- adjust a test where fake_ldd had added some libraries
- remove ldd path from logprof.conf [settings]
Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.
apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/home/user/path/to/usershare/" pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
- Adding support for --output-dir in aa-logprof and aa-genprof, allowing to work on profiles without applying the modified version
- Adding support for --allow-all in aa-logprof that creates non-interactively 'allow' rules for all logs
- Adding support for --no-abstraction in aa-logprof and aa-genprof
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1177
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
When the setup of the notify options failed, they were exiting the
program without cleaning up the mqueue. Fix this by returning instead
of exiting, since the main function does the cleanup in case of any
failures. If the test succeeds, then it exits successfully.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
mq_notify only notifies if the queue is empty, so if the sender wins
the race and sends a message before mq_notify is set up, mq_notify
will timeout.
Adding synchronization using pipes the same way it was used in the
setns tests should fix it. The pipe now needs rw permissions, so add
that to the tests.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The child which sends the message was winning the race and causing a
timeout when the receiver was waiting for the message.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
net_inet makes more sense since other finegrained network types can be
added in the future.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The abstraction lxc/start-container shipped by the liblxc-common
package uses the following mount rule which was not allowed by our
regexes:
mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,
Since in AppArmor regex ** includes '/' but * by itself doesn't, I'm
adding explicit support for **.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1195
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
The abstraction lxc/start-container shipped by the liblxc-common
package uses the following mount rule which was not allowed by our
regexes:
mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,
Since in AppArmor regex ** includes '/' but * by itself doesn't, I'm
adding explicit support for **.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The network cmp function was missing the new attributes added, causing
rules to be dropped.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When the ip is not specified, then we should generate rules for ip
types: anonymous, ipv4 and ipv6. And that's the case for both local
and peer when considering recv and send permissions.
std::ostringstream does not have a copy constructor, that's why in
several places one can see streaming the string of one stream into
another.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
We want to be able to determine label in the future and build the
policy dfa based on its presence or not.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
According to the protocol expected by the kernel, the field
representing the ip size should be an enum instead of the actual ip
size. This is more future-proof.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Before the inet patches, protocol was not handled, so the information
was ignored. This patch introduces the ability to start mediating
protocol.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
We're not trying to execute a command in EXTRA_WARNINGS, so don't try to spawn
a subshell for it which gives:
```
./configure: 14770: EXTRA_WARNINGS: not found
checking whether C compiler accepts -flto-partition=none... yes
```
We can either use ${} or just $ (style). Use $ to be consistent with other
uses in the file.
Signed-off-by: Sam James <sam@gentoo.org>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1184
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
We're not trying to execute a command in EXTRA_WARNINGS, so don't try to spawn
a subshell for it which gives:
```
./configure: 14770: EXTRA_WARNINGS: not found
checking whether C compiler accepts -flto-partition=none... yes
```
We can either use ${} or just $ (style). Use $ to be consistent with other
uses in the file.
Signed-off-by: Sam James <sam@gentoo.org>
Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.
It also needs to read /proc/@{pid}/loginuid
Also cleanup the now-superfluous rules from the smbd profile.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139
With abstractions/openssl now being included from abstraction/base
(via the indirection of abstractions/crypto) anything already
including abstraction/base can stop including abstractions/openssl
directly.
This is a follow up to 3d1dedfa as suggested by @cboltz
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1179
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
With abstractions/openssl now being included from abstraction/base
(via the indirection of abstractions/crypto) anything already
including abstraction/base can stop including abstractions/openssl
directly.
Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.
This adds the abstraction already defined for openssl to
abstraction/crypto as it is about cryptography, but also because
abstraction/base includes abstraction/crypto and therefore it will
be allowed in general.
Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.
This adds the paths usually used by gnutls to abstraction/crypto
as it is about cryptography, but also because abstraction/base
includes abstraction/crypto and therefore it will be allowed
in general.
The error message when autoconf-archive is not installed is not very
intuitive:
```
./configure: line 14422: EXTRA_WARNINGS: command not found
./configure: line 14423: syntax error near unexpected token `-flto-partition=none,'
./configure: line 14423: `AX_CHECK_COMPILE_FLAG(-flto-partition=none, , , -Werror)'
```
So, check if AX_CHECK_COMPILE_FLAG is defined and if not, complain
that autoconf-archive is missing.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1174
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The permission for network rules when the inet mediation was not
available, or for when the family was not af_inet or af_inet6 was
being generated as one that would allow anything. Make them specific
using perms.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The layout for AF_INET and AF_INET6 rules were being applied to all
families, which causes failures in their mediation.
Fixes: ddefe11a ("parser: add fine grained conditionals to network rule")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
- replace example calls of /etc/init.d/apparmor with apparmor.service
- drop /etc/init.d/apparmor in filelist
- replace /var/lib/apparmor/ with /var/cache/apparmor/
The error message when autoconf-archive is not installed is not very
intuitive:
./configure: line 14422: EXTRA_WARNINGS: command not found
./configure: line 14423: syntax error near unexpected token `-flto-partition=none,'
./configure: line 14423: `AX_CHECK_COMPILE_FLAG(-flto-partition=none, , , -Werror)'
So, check if AX_CHECK_COMPILE_FLAG is defined and if not, complain
that autoconf-archive is missing.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
* **MountRule: sync flags_keywords with parser code**
... based on /mount.cc mnt_opts_table
Several keywords and aliases were missing in flags_keywords:
- B
- M
- make-private
- make-rprivate
- make-rshared
- make-rslave
- make-runbindable
- make-shared
- make-slave
- make-unbindable
- r
- R
- read-only
- w
Also sort the keywords in the same order as in mount.cc.
Note: AARE handling is still a TODO.
After that, update the list of known parsing failures:
- several valid profiles are now correctly parsed
- some `"make-*" mount opt and an invalid src` bad profiles are no
longer detected as being invalid
* **test-mount.py: fix MountRule instance creation**
If fstype or options is a str, it has to be exactly one keyword, because
\__init__() / check_and_split_list() won't parse a str.
Our "normal" code already honors this, and only hands over fstype and
options as sets or a single-keyword str.
However, a few tests (wrongly) handed over a str that would need further
parsing. Adjust the tests to no longer do this.
* **MountRule: check for unknown fstype and options**
... now that the previous commits fixed issues that ended up as unknown
keywords.
Also add mount/ok_12.sd as known-failing test. It uses fstype=AARE which
MountRule doesn't support (yet?).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1169
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
* Fix writing 'mount {options,fstype} in ...' rules
We need spaces around the 'in' keyword.
Also add some tests for this.
* Make error check more readable
* MountRule: make get_clean() more readable
... by getting rid of two mostly-identical, big return statements.
Also add tests for bare umound and remount rules to ensure full test
coverage.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1168
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
... now that the previous commits fixed issues that ended up as unknown
keywords.
Also add mount/ok_12.sd as known-failing test. It uses fstype=AARE which
MountRule doesn't support (yet?).
If fstype or options is a str, it has to be exactly one keyword, because
__init__() / check_and_split_list() won't parse a str.
Our "normal" code already honors this, and only hands over fstype and
options as sets or a single-keyword str.
However, a few tests (wrongly) handed over a str that would need further
parsing. Adjust the tests to no longer do this.
... based on /mount.cc mnt_opts_table
Several keywords and aliases were missing in flags_keywords:
- B
- M
- make-private
- make-rprivate
- make-rshared
- make-rslave
- make-runbindable
- make-shared
- make-slave
- make-unbindable
- r
- R
- read-only
- w
Also sort the keywords in the same order as in mount.cc.
Note: AARE handling is still a TODO.
After that, update the list of known parsing failures:
- several valid profiles are now correctly parsed
- some `"make-*" mount opt and an invalid src` bad profiles are no
longer detected as being invalid
Now that we have MountRule and MountRuleset, drop the old "just store
the whole rule" code for mount rules.
Also drop some old tests that used that "store the whole mount rule"
code, and adjust the regex_matches tests to import the regex directly
from apparmor.regex.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1165
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
If /proc/filesystems contains a filesystem that is not listed in
MountRule valid_fs, print a useful error message that says what exactly
is going on, instead of only saying "False is not True".
Now that we have MountRule and MountRuleset, drop the old "just store
the whole rule" code for mount rules.
Also drop some old tests that used that "store the whole mount rule"
code, and adjust the regex_matches tests to import the regex directly
from apparmor.regex.
A simple rule without conditionals need to be generated for when the
kernel does not support fine grained inet network mediation.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
By not having quotes in $@, the string splits by the whitespace.
That prevents us from checking if the parser supports rules
that have spaces in them.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Options available are ip= and port= inside the peer group or outside,
representing local addresses and ports:
network peer=(ip=127.0.0.1 port=8080),
network ip=::1 port=8080 peer=(ip=::2 port=8081),
The 'ip' option supports both IPv4 and IPv6. Examples would be
ip=192.168.0.4, or ip=::578d
The 'port' option accepts a 16-bit unsigned integer. An example would
be port=1234
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Nautilus uses user namespaces to load thumbnails, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123
Although nautilus has extensions that would allow opening a terminal
from the nautilus interface, they do not inherit nautilus' AppArmor
label, therefore the use of unconfined does not allow arbitrary use of
unprivileged user namespaces using the nautilus label.
https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Fixes: https://bugs.launchpad.net/bugs/2047256
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit add fixes for issues found in coverity's snapshot 70858.
- CID 323127: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
- CID 323125: Uninitialized members (UNINIT_CTOR)
I'm also removing Novell, Inc. from the copyright notice added by a
copy-paste error, and an unused variable left over from debugging.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Precompile each filter regex with re.compile so they don't need to be
recompiled for each log message when using re.match directly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
aa-unconfined can fault if it looses the race between checkking if
proc/*/attr/{apparmor/,}current exists, and actually opening the file.
Catch open/file errors and ignore them like the file doesn't exist.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/355
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow notification filtering of the fields profile, operation, name,
denied_mask, net_family and net_socket using regex. Both command line
and config options in notify.conf are available.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https://bugs.launchpad.net/bugs/1939022
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Failures on regex and exec are related to /usr/bin and /bin merge.
The userns failure is related to the addition of the unprivileged_userns
profile and the kernel ability to transition to it when an unconfined
unprivileged user namespace is created.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1146
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The short form of the help parameter was not accepting an optional
argument as described in the help message. Update the help message to
remove the extra whitespace in between -h and the options since
getopt(1) says that
"If the option has an optional argument, it must be written directly
after the option character if present."
even though that's not described in getopt(3).
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The help message from aa-status referenced -h filter when it should
have been -h filters. Also added some whitespaces for consistency.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
element-desktop needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123!1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
!1109
is merged.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1150
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
There is a kernel feature, available under
namespaces/userns_create/pciu&, that enables the transition of
unconfined tasks to a special profile called unprivileged_userns when
they try to create an unprivileged user namespace with
clone/unshare. This transition allows the creation of the unprivileged
user namespace but hinders its privileges by not allowing
capabilities. Refer to the unprivileged_userns profile to check what
rules are allowed.
If either the feature is not present in the kernel, or the
unprivileged_userns profile is not loaded, then the defined behavior
is to deny the creation of the unprivileged user namespace
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Some of the tests are failing because of /usr/bin/true vs /bin/true.
Similarly to what was done in 8c09b328, to make the tests more
reliable, copy the true binary to $tmpdir and use this path on the
tests instead.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Unprivileged user namespace creation is allowed an will result in a
transition into the unprivileged_userns profile. The
unprivileged_userns profile with then deny all capabilities within the
profile. Execution of applications is allowed within the
unprivileged_userns profile but, they will result in a stack with the
unprivileged_userns profile, that is to say the unprivileged_userns
profile can not be dropped (capabilities can not be gained).
If the unprivileged_userns profile does not exist, unprivileged user
namespace creation is denied as before.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
/proc/$pid/cmdline can be changed by an application, therefore escape it
before printing.
The program name in /proc/$pid/exe can also contain any characters
(except \0 and shashes) and needs escaping.
Note: repr() wraps the string into single quotes, which we have to
remove to avoid changing the output format.
The test program from issue 364 now gets displayed as
28443 /path/to/issue364 (/\x1b]0;X\x07) not confined
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364
I propose this patch for 2.13..master
Closes#364
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1142
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The call aa_getpeercon() can return ENOPROTOOPT error in some cases, specifically when the kernel lacks 'fine grained unix mediation'. Currently, this capability isn't available in upstream kernels, but only in patched ones (for example, the regular Ubuntu kernels). Unfortunately, the manpage lacks this info. This patch fixes this.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/366
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1143
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
/proc/$pid/cmdline can be changed by an application, therefore escape it
before printing.
The program name in /proc/$pid/exe can also contain any characters
(except \0 and shashes) and needs escaping.
Note: repr() wraps the string into single quotes, which we have to
remove to avoid changing the output format.
The test program from issue 364 now gets displayed as
28443 /path/to/issue364 (/\x1b]0;X\x07) not confined
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364
There are some tests like attach_disconnected and posix_mq that can
have a program that calls another. For example, posix_mq_rcv calls
posix_mq_snd. Both of them write to the same output file, but the code
that checks the result expects only one line. This change enables
checking multiple lines in the output file and passing or failing
accordingly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1140
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
There are some tests like attach_disconnected and posix_mq that can
have a program that calls another. For example, posix_mq_rcv calls
posix_mq_snd. Both of them write to the same output file, but the code
that checks the result expects only one line. This change enables
checking multiple lines in the output file and passing or failing
accordingly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The move_mount tests were returning -1 in case of failure causing it
to become 255 in some systems, but checktestbg in the testsuite
considers any return value greater than 128 to be a signal error.
That would cause tests that should fail to display the following test
error:
... was expected to 'fail'. Reason for failure 'killed by
signal 127'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1139
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
The move_mount tests were returning -1 in case of failure causing it
to become 255 in some systems, but checktestbg in the testsuite
considers any return value greater than 128 to be a signal error.
That would cause tests that should fail to display the following test
error:
... was expected to 'fail'. Reason for failure 'killed by
signal 127'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.
(When the tools support nested child profiles one day, we can even allow
child exec again.)
[This MR is for master only. I opened separate MRs for 3.1 and 3.0]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1133
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
the stacking tests need to be able to read and write the new apparmor
dir in proc, if that interface has been selected. Update the tests to
make sure they have the permissions needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.
(When the tools support nested child profiles one day, we can even allow
child exec again.)
Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1109
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Happy holidays, been meaning to push these updates out for some time:
* Add `owner` keyword to several rules to tighten them up. I've tested these for several months in normal usage and encountered no denials;
* Add new DBus access rules for the following:
```
Oct 18 06:26:06 darkstar kernel: [4369444.223230] audit: type=1107 audit(1697624766.349:2448): pid=745 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" name=":1.1" mask="receive" pid=1484746 label="firefox" peer_pid=773 peer_label="unconfined"
Oct 19 19:18:20 darkstar kernel: [4502177.573224] audit: type=1107 audit(1697757500.040:2456): pid=745 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.1" pid=1677547 label="firefox" peer_pid=773 peer_label="unconfined"
Oct 19 19:18:20 darkstar kernel: [4502177.700071] audit: type=1107 audit(1697757500.168:2457): pid=745 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.5878" pid=1484746 label="firefox" peer_pid=1677582 peer_label="unconfined"
```
* Deny write access to `/etc/**`, due to this odd bit:
```
Jul 27 15:23:21 darkstar kernel: [6530015.183715] audit: type=1400 audit(1690485801.308:128963): apparmor="DENIED" operation="mknod" profile="firefox" name="/etc/igfx_user_feature_next.txt" pid=2618266 comm="vaapitest" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
```
* Allow read access to a cgroup `cpu.max` variable. I lost the relevant log bit here, I'm afraid;
* Relocate the ptrace rule, as it relates to the crash reporter, not (as far as I've found) the Widevine plugin.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1131
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
man apparmor_parser gives examples for the --warn command line option as
apparmor_parser --warn=rules-not-enforced ...
and
apparmor_parser --warn=no-rules-not-enforced ...
but the actual --warn options are rule-not-enforced / no-rule-not-enforced
(without s)
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057453
Given the following profile:
profile foo {
profile bar {
profile baz {
}
}
}
The parser would correctly serialize the "foo" profile and the
"foo//bar" profile, but it would incorrectly name "bar//baz" when it
should be "foo//bar//baz". This would cause issues loading the profile
in certain kernels causing a "parent does not exist" error.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1127
Merged-by: John Johansen <john@jjmx.net>
Given the following profile:
profile foo {
profile bar {
profile baz {
}
}
}
The parser would correctly serialize the "foo" profile and the
"foo//bar" profile, but it would incorrectly name "bar//baz" when it
should be "foo//bar//baz". This would cause issues loading the profile
in certain kernels causing a "parent does not exist" error.
Partially addresses #346.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The recently added unconfined profiles use the binary name for the
local include instead of the profile name. Switch to using the
profile name for the local include.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adding profiles for applications even if they allow all operations
will allow them to be referenced as peer by other policies. This is
a step towards a more comprehensive system policy, adding names,
instead of just unconfined, to peers of existing policy and to
applications that are known to use unprivileged user namespaces.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When the regex parser failed, the Chars objects created/used in rules
charset and cset_chars would not be cleaned up properly and would
leak.
Closes#361
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Adding profiles for applications even if they allow all operations
will allow them to be referenced as peer by other policies. This is a
step towards a more comprehensive system policy, adding names, instead
of just unconfined, to peers of existing policy and to applications
that are known to use unprivileged user namespaces.
Note that unconfined mode should be changed for default_allow
when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is
merged.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
upstream kernels only have network_v8 unfortunately the tcp tests were
only being run against kernels that had network (which is v7). Kernels
that support both (Ubuntu) would be tested against v8, so v8 has been
tested but pure upstream kernels were failing to be tested correctly.
This patch will only make sure one of the supported verserions are
tested. This is determined by the parser which prefers v8. In the
future the tests need to be extended to run the tests against all
kernel supported versions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1120
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
upstream kernels only have network_v8 unfortunately the tcp tests were
only being run against kernels that had network (which is v7). Kernels
that support both (Ubuntu) would be tested against v8, so v8 has been
tested but pure upstream kernels were failing to be tested correctly.
This patch will only make sure one of the supported versions are
tested. This is determined by the parser which prefers v8. In the
future the tests need to be extended to run the tests against all
kernel supported versions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Teach CapabilityRule about the list of known capabilities, and ensure that only valid capabilities are allowed in profiles.
This comes with several test additions (and removals from the `exception_not_raised` list for the parser simple_tests), see the individual commits for details.
Reviewing each commit on its own is probably easier than reading the merged diff.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1117
Merged-by: John Johansen <john@jjmx.net>
Even if this is very unlikely to happen (because of the previously added
test, and because CapabilityRule only allows to specify known severity
keywords), ensure proper behaviour if an unknown severity gets rated.
- convert a string parameter to a list to avoid duplication of the
validation logic
- add separate check for empty cap_list
- remove check for empty strings - the previous commit already added
such a check to the for loop. Also, move the comment to that check.
... and error out if an unknown capability is given.
This also means recognizing bad capabilities in the parser simple_tests
now works (so remove these from the exception_not_raised list), and that
we can no longer hand over an unknown capability in test-capability.py
to test their severity.
... instead of non-existing ones.
This is a search-and-replace commit:
ptrace -> sys_ptrace
chgrp -> fowner (because fowner wasn't used in the test before)
Out of the box the KDE plasma-browser-integration package does not work
after a user installed the corresponding Firefox extension: The browser
can't start the native host binary. The same is probably true for
Chromium.
This was originally reported to KDE at https://bugs.kde.org/show_bug.cgi?id=397399
tools.py contained quite some things that need a big cleanup.
See the individual commits for details and more readable diffs.
Note: This MR "only" does cleanups and some refactoring. It does not change the (user-visible) behaviour of the code.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1114
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This also means we can get rid of most cleanprof-specific conditions
without changing the behaviour (because the other functions don't use
'profile' yet).
Also hand over prof_filename to clean_profile() so that it doesn't need
to find it out itsself.
Before, the 'profile' return value was either a profile name or a
profile filename, depending on the active module (cleanprof vs.
everything else).
Separate the return values so that it's clear what we get.
Notes:
- This commit doesn't change functionality, only the number of return
values and some variable names.
- There's no guarantee that all return values are set. They can also be
None. (This might change in the future.)
Also adjust the callers of get_next_to_profile(), and rename 'profile'
to 'prof_filename' in calling functions that actually use the profile
filename.
This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).
The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.
However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351
.
The fix needs an additional function in ProfileList (`profile_from_attachment()`) to get the profile name for a given attachment.
Since this is not very different from filename_from_attachment(), move
most of the code into a thing_from_attachment() function, and make
{profile,filename}_from_attachment wrappers for it.
Also adjust the tests to the changed internal data structure, and add
tests for profile_from_attachment().
I propose this patch for 3.0..master. (3.0 will probably need a slightly different patch - I'll submit a separate MR once this MR is merged.)
Closes#351
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1108
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).
The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.
However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351
... to get the profile name for a given attachment.
Since this is not very different from filename_from_attachment(), move
most of the code into a thing_from_attachment() function, and make
{profile,filename}_from_attachment wrappers for it.
Also adjust the tests to the changed internal data structure, and add
tests for profile_from_attachment().
Extend the policy syntax to have a rule that allows specifying all
permissions for all rule types.
allow all,
This is useful for making blacklist based policy, but can also be
useful when combined with other rule prefixes, eg. to add audit
to all rules.
audit access all,
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1103
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Extend the policy syntax to have a rule that allows specifying all
permissions for all rule types.
allow all,
This is useful for making blacklist based policy, but can also be
useful when combined with other rule prefixes, eg. to add audit
to all rules.
audit access all,
Signed-off-by: John Johansen <john.johansen@canonical.com>
This lays the ground work for fine grained network mediation. The switch to using the rules class brings the advantages of shared infrastructure and is needed for tracking all the different combinations possible with finer control.
In addition range generation and support for large numbers (needed for ipv6) are added. This patchset does not make policy visible changes to network rules.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1104
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Since network rules don't use the "perms" attribute, it is using the
dedup class in which duplicate rules are removed.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
There is one significant difference in the encoding of the network
rules. Before this change, when the parser was encoding a "network,"
rule, it would generate an entry for every family and every
type/protocol. After this patch the parser should generate an entry
for every family, but the type/protocol is changed to .. in the pcre
syntax. There should be no difference in behavior.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
using dfprintf for error messages subjects them to the other
output controls and can cause them to be surpressed when they
shouldn't.
Instead use a dedicated error function and add a quiet flag to
allow silencing errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
By default aa-status outputs with --verbose enabled - if --json is also
specified then aa-status would currently output in its first line "apparmor
module is loaded.":
aa-status --json | head -n1
apparmor module is loaded.
And only after this the actual json output would follow. This then results in
failures to parse this JSON output:
aa-status --json | jq .
parse error: Invalid numeric literal at line 1, column 9
This in turn then breaks tools / tests which expect the output of aa-status
--json to be purely json - e.g:
https://salsa.debian.org/apparmor-team/apparmor-profiles-extra/-/blob/debian/unstable/debian/tests/policy-is-loaded#L12
So ensure dprintf() etc do not output when --json is specified to restrict the
output of aa-status to pure JSON.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1097
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>
coverity is reporting an overrun of the profile_mode_table
217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT)
>>> CID 322989: (OVERRUN)
>>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6).
this is because it is being indexed by the profile_mode enum which can
go up to a 6th entry. The code tests for MODE_CONFLICT before using
the table so it shouldn't trigger a bug today, but play it safe for
the future and also get rid of the coverity scan error by adding a
"conflict" entry to the mode_table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1098
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
SIGNAL makes more sense because it's about a single signal.
Besides that, a9494f5523 introduced a (at
that point broken) usage of SIGNAL which becomes valid with this commit.
coverity is reporting an overrun of the profile_mode_table
217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT)
>>> CID 322989: (OVERRUN)
>>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6).
this is because it is being indexed by the profile_mode enum which can
go up to a 6th entry. The code tests for MODE_CONFLICT before using
the table so it shouldn't trigger a bug today, but play it safe for
the future and also get rid of the coverity scan error by adding a
"conflict" entry to the mode_table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This adds two new profile flags
* `interruptible` which can be used with prompt
* `kill.signal=XXX` which can be used to set the signal used by kill mode or the kill rule prefix
In addition it adds a few cleanups and fixes around profile flag handling
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1096
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add a flag that allows setting the signal used to kill the process.
This should not be normally used but can be very useful when
debugging applications, interaction with apparmor.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When merging flags with a disconnected_path specified, there is no
check for a conflict and we can just throw away (and leak) one of
the paths.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We have a basic flagvals class it makes sense to move the parser
code into it, to help make management easier going forward.
Signed-off-by: John Johansen <john.johansen@canonical.com>
By default aa-status outputs with --verbose enabled - if --json is also
specified then aa-status would currently output in its first line "apparmor
module is loaded.":
aa-status --json | head -n1
apparmor module is loaded.
And only after this the actual json output would follow. This then results in
failures to parse this JSON output:
aa-status --json | jq .
parse error: Invalid numeric literal at line 1, column 9
This in turn then breaks tools / tests which expect the output of aa-status
--json to be purely json - e.g:
https://salsa.debian.org/apparmor-team/apparmor-profiles-extra/-/blob/debian/unstable/debian/tests/policy-is-loaded#L12
So ensure dprintf() etc do not output when --json is specified to restrict the
output of aa-status to pure JSON.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
ask_exec() and ask_addhat() set
hashlog[aamode][full_profile]['final_name'].
While this was used to get profile and hat split, it was not used as key
for log_dict. This resulted in entries like
log_dict['PERMITTING']['foo//null-/usr/bin/cat']
which are obviously wrong.
Use final_name as log_dict key so that we end up with (assuming child
exec was selected)
log_dict['PERMITTING']['foo///usr/bin/cat']
This fixes a regression introduced in 3.1. Due to other changes in collapse_log() done in master, picking this into 3.1 isn't that easy. I'll submit a separate patch for 3.1.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1091
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Ideally we'd update them to the chosen exec target - but until this is
implemented, it doesn't make sense to ask about adding a //null-* peer
to a profile.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1090
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
setns tests part of the userns could fail if the parent process opened
the child pipe to write it was done before the child opened the pipe
with read permissions.
From the fifo(7) man page:
A process can open a FIFO in nonblocking mode. In this case, opening
for read‐only succeeds even if no one has opened on the write side yet
and opening for write‐only fails with ENXIO (no such device or
address) unless the other end has already been opened.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1093
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
setns tests part of the userns could fail if the parent process opened
the child pipe to write it was done before the child opened the pipe
with read permissions.
From the fifo(7) man page:
A process can open a FIFO in nonblocking mode. In this case, opening
for read‐only succeeds even if no one has opened on the write side yet
and opening for write‐only fails with ENXIO (no such device or
address) unless the other end has already been opened.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Now that we have `final_name` as shortcut for
`hashlog[aamode][full_profile]['final_name']`, update the code that used
the long version to make it more readable.
ask_exec() and ask_addhat() set
hashlog[aamode][full_profile]['final_name'].
While this was used to get profile and hat split, it was not used as key
for log_dict. This resulted in entries like
log_dict['PERMITTING']['foo//null-/usr/bin/cat']
which are obviously wrong.
Use final_name as log_dict key so that we end up with (assuming child
exec was selected)
log_dict['PERMITTING']['foo///usr/bin/cat']
Ideally we'd update them to the chosen exec target - but until this is
implemented, it doesn't make sense to ask about adding a //null-* peer
to a profile.
On (terribly, but real-world) slow buid hosts, running test-logprof.py
fails with a timeout. Increase the timeout so that even those build
hosts get enough time to finish the aa-logprof tests.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1087
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
On (terribly, but real-world) slow buid hosts, running test-logprof.py
fails with a timeout. Increase the timeout so that even those build
hosts get enough time to finish the aa-logprof tests.
Currently you need to use attach_disconnected with
attach_disconnected.path=XXX to be able to attach to a different
location than / whic is ugly and redundant.
Make it so attach_disconnected.path implies attach_disconnected.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add support for specifying the path prefix used when attach disconnected
is specified. The kernel supports prepending a different value than
/ when a path is disconnected. Expose through a profile flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and a simple test for a single (fake) event for ping.
Notes:
- to let aa-logprof work in the CI environment, we need to skip checking
for the AppArmor mountpoint. Introduce --no-check-mountpoint for this.
- PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when
starting aa-logprof via subprocess.Popen()
- if the test runs with coverage enabled, it will also start aa-logprof
with coverage (parameters copied from Makefile).
Speaking about coverage - this test adds 4% overall coverage, and 10%
more coverage for apparmor/aa.py.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1082
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... and a simple test for a single (fake) event for ping.
Notes:
- to let aa-logprof work in the CI environment, we need to skip checking
for the AppArmor mountpoint. Introduce --no-check-mountpoint for this.
- PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when
starting aa-logprof via subprocess.Popen()
- if the test runs with coverage enabled, it will also start aa-logprof
with coverage (parameters copied from Makefile).
Speaking about coverage - this test adds 4% overall coverage, and 10%
more coverage for apparmor/aa.py.
(except the deprecated tunables/sys)
This allows users to extend variables without editing the main tunables
files.
It also allows to cleanly introduce new tunable files (via
tunables/global.d) and new aliases (via tunables/alias.d).
Note: some files already had `include <tunables/$FILE.d>`. These get
changed to `include if exists`, and the comments for these includes get
unified.
Also extend make check to ensure that all tunables include tunables/$FILE.d
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347
I propose this patch for 3.0..master.
Closes#347
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1077
Approved-by: timeout
Merged-by: Christian Boltz <apparmor@cboltz.de>
Allow for the default libexec subdir, /usr/libexec/dovecot, as well
as the more common /usr/lib/dovecot.
Signed-off-by: Peter Levine <plevine457@gmail.com>
The permissions for AA_NET_OPT need to be bounded by mask so we can
make sure it matches when a policy specified only setopt or only
getopt. This was causing failures on the regression tests
unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and
unix_socket_autobind
Fixes: 44f3be091 ("parser: convert the stored audit from a bit mask to a bool")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1079
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The permissions for AA_NET_OPT need to be bounded by mask so we can
make sure it matches when a policy specified only setopt or only
getopt. This was causing failures on the regression tests
unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and
unix_socket_autobind
Fixes: 44f3be091 ("parser: convert the stored audit from a bit mask to a bool")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Add a json_log option (default: disabled) to logprof.conf that enables
logging of all aa-logprof and aa-genprof input and output to a
/tmp/aa-jsonlog-* file.
This can be useful for debugging, and maybe also to create tests that do
a full aa-logprof run.
This patch introduces a minor behaviour change if aa-logprof errors out
on startup (for example if the config file is broken or the parser can't
be found):
Before:
```
$ aa-logprof --json
{"dialog": "apparmor-json-version","data": "2.12"}
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
After:
```
$ aa-logprof --json
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
Note that the json version line will not be printed if aa-logprof or
aa-genprof error out that early.
If there are no startup errors, the behaviour will not change.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1078
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Minor fixes for the firefox profile:
1. The attachment spec was failing to match `/usr/lib/firefox-esr/firefox-esr` on Debian;
2. The `Mounted` method of `org.gtk.vfs.MountTracker` is received, not sent.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1076
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add a json_log option (default: disabled) to logprof.conf that enables
logging of all aa-logprof and aa-genprof input and output to a
/tmp/aa-jsonlog-* file.
This can be useful for debugging, and maybe also to create tests that do
a full aa-logprof run.
This patch introduces a minor behaviour change if aa-logprof errors out
on startup (for example if the config file is broken or the parser can't
be found):
Before:
```
$ aa-logprof --json
{"dialog": "apparmor-json-version","data": "2.12"}
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
After:
```
$ aa-logprof --json
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
Note that the json version line will not be printed if aa-logprof or
aa-genprof error out that early.
If there are no startup errors, the behaviour will not change.
(except the deprecated tunables/sys)
This allows users to extend variables without editing the main tunables
files.
It also allows to cleanly introduce new tunable files (via
tunables/global.d) and new aliases (via tunables/alias.d).
Note: some files already had `include <tunables/$FILE.d>`. These get
changed to `include if exists`, and the comments for these includes get
unified.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347
It appears that lto1 does not support -dynamic, and that ld no longer
documents -dynamic. Which results in the following build failure
when usine lto1 for link time optimizations
```
[ 45s] libtool: link: gcc -shared -fPIC -DPIC .libs/grammar.o .libs/libaalogparse.o .libs/kernel.o .libs/scanner.o .libs/private.o .libs/features.o .libs/kernel_interface.o .libs/policy_cache.o .libs/PMurHash.o -flto-partition=none -O2 -fstack-protector-strong -flto=auto -dynamic -Wl,--version-script=../src/libapparmor.map -flto=auto -pthread -Wl,-soname -Wl,libapparmor.so.1 -o .libs/libapparmor.so.1.17.0
[ 45s] lto1: warning: unrecognized gcc debugging option: y
[ 45s] lto1: warning: unrecognized gcc debugging option: n
[ 45s] lto1: warning: unrecognized gcc debugging option: m
[ 45s] lto1: warning: unrecognized gcc debugging option: i
[ 45s] lto1: warning: unrecognized gcc debugging option: c
```
Switch to -Bdynamic which is documented.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1071
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
The test to check if the kernel supports a feature covers two cases:
1. The file/directory indicates a feature is supported.
2. The feature is supported if it's in the contents of the file.
When the intended check is for case 1, and the file does not exist,
then the code checks if it's case 2, but since it was not supposed to
be, we end up grepping a directory, causing an error message. Fix this
by checking if we're grepping a file.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1074
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The test to check if the kernel supports a feature covers two cases:
1. The file/directory indicates a feature is supported.
2. The feature is supported if it's in the contents of the file.
When the intended check is for case 1, and the file does not exist,
then the code checks if it's case 2, but since it was not supposed to
be, we end up grepping a directory, causing an error message. Fix this
by checking if we're grepping a file.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This reverts commit 460c3d5b59.
The 4.0 ABI was pinned for the development cycle but it can cause
in-tree uses of parser/parser.conf to fail if it cannot find the 4.0
file in /etc/apparmor.d/abi/.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
It appears that lto1 does not support -dynamic, and that ld no longer
documents -dynamic. Which results in the following build failure
when usine lto1 for link time optimizations
[ 45s] libtool: link: gcc -shared -fPIC -DPIC .libs/grammar.o .libs/libaalogparse.o .libs/kernel.o .libs/scanner.o .libs/private.o .libs/features.o .libs/kernel_interface.o .libs/policy_cache.o .libs/PMurHash.o -flto-partition=none -O2 -fstack-protector-strong -flto=auto -dynamic -Wl,--version-script=../src/libapparmor.map -flto=auto -pthread -Wl,-soname -Wl,libapparmor.so.1 -o .libs/libapparmor.so.1.17.0
[ 45s] lto1: warning: unrecognized gcc debugging option: y
[ 45s] lto1: warning: unrecognized gcc debugging option: n
[ 45s] lto1: warning: unrecognized gcc debugging option: m
[ 45s] lto1: warning: unrecognized gcc debugging option: i
[ 45s] lto1: warning: unrecognized gcc debugging option: c
Switch to -Bdynamic which is documented.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add tests for passing the parser a file that doesn't exist, a symlink
to a file that doesn't exist, and a directory that contains that
latter. Also include tests for different levels of -j passed as an
argument. These tests are based on the fixing commit 1259319508
("parser: Fix parser failing to handle errors when setting up work")
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
2023-07-13 13:38:52 -05:00
946 changed files with 21225 additions and 4109 deletions
B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
B<NETWORK IPV6> = IPv6, represented by eight groups of four hexadecimal numbers separated by ':'. Shortened representation of contiguous zeros is allowed by using '::'
B<NETWORK PORT> = 16-bit number ranging from 0 to 65535
@@ -36,12 +36,11 @@ of resources. AppArmor's unique security model is to bind access control
attributes to programs rather than to users.
AppArmor confinement is provided via I<profiles> loaded into the kernel
via apparmor_parser(8), typically through the F</etc/init.d/apparmor>
SysV initscript, which is used like this:
via apparmor_parser(8), typically through the F<apparmor.service>
systemd unit, which is used like this:
# /etc/init.d/apparmor start
# /etc/init.d/apparmor stop
# /etc/init.d/apparmor restart
# systemctl start apparmor
# systemctl reload apparmor
AppArmor can operate in two modes: I<enforcement>, and I<complain or learning>:
@@ -110,7 +109,7 @@ I<Turn off deny audit quieting> if this is a problem).
Complain mode can be used to develop profiles incrementally as an
application is exercised. The logged accesses can be added to the
profile and then can the application further excercised to discover further
profile and then can the application further exercised to discover further
additions that are needed. Because AppArmor allows the accesses the
application will behave as it would if AppArmor was not confining it.
@@ -147,9 +146,9 @@ or to set it on boot add:
apparmor.mode=complain
as a kernel boot paramenter.
as a kernel boot parameter.
B<Warning> Setting complain mode gloabally disables all apparmor
B<Warning> Setting complain mode globally disables all apparmor
security protections. It can be useful during debugging or profile
development, but setting it selectively on a per profile basis is
safer.
@@ -218,7 +217,7 @@ or to set it on boot add:
apparmor.debug=1
as a kernel boot paramenter.
as a kernel boot parameter.
=head2 Turn off deny audit quieting
@@ -233,7 +232,7 @@ or to set it on boot add:
apparmor.audit=noquiet
as a kernel boot paramenter.
as a kernel boot parameter.
=head2 Force audit mode
@@ -255,7 +254,7 @@ or to set it on boot add:
apparmor.audit=all
as a kernel boot paramenter.
as a kernel boot parameter.
B<Audit Rate Limiting>
@@ -273,11 +272,9 @@ Else, if auditd is running, see auditd(8) and auditd.conf(5).
=over 4
=item F</etc/init.d/apparmor>
=item F</etc/apparmor.d/>
=item F</var/lib/apparmor/>
=item F</var/cache/apparmor/>
=item F</var/log/audit/audit.log>
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
