mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 23:05:11 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v4.1.1
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
..
compare: mir:v3.1.3
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

54 Commits
v4.1.1 ... v3.1.3

Author SHA1 Message Date
John Johansen
c8eefe440c Prepare for AppArmor 3.1.3 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-27 17:24:32 -08:00
John Johansen
df3b9601de Merge [3.x] Update samba profiles 
samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.

    audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

See also https://bbs.archlinux.org/viewtopic.php?id=281411

Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.

(cherry picked from commit 763c4ecd23,
with cleanup of now-superfluous rules in usr.sbin.nmbd and
usr.sbin.winbindd dropped)

Also allow access to samba pid files directly in /run/

This is a backport of !987, with the cleanup of now-superfluous rules removed.

I propose this patch for 3.x (also for 2.13 if it cleanly applies)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/988
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2023-02-27 19:52:17 +00:00
nl6720
a9fa20a456 profiles/apparmor.d/samba*: allow access to pid files directly in /run/ 
On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`.

   apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

The same is true for `nmbd.pid`, `smbd.pid` and probably others too.

(cherry picked from commit 6f0d2ef7fe)
 2023-02-27 20:37:38 +01:00
nl6720
089064439d profiles/apparmor.d/abstractions/samba: allow modifying /var/cache/samba/*.tdb 
samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.

    audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

See also https://bbs.archlinux.org/viewtopic.php?id=281411

Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.

(cherry picked from commit 763c4ecd23,
with cleanup of now-superfluous rules in usr.sbin.nmbd and
usr.sbin.winbindd dropped)
 2023-02-27 20:36:30 +01:00
John Johansen
1759c1bd24 Merge Add abstractions/groff with lots of groff/nroff helpers 
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25

Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.

I also added `include if exists <abstractions/groff.d>`

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/973
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 238eb8150b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-26 13:57:12 -08:00
John Johansen
68de30cf76 Merge abstractions/openssl: allow reading /etc/ssl/openssl-*.cnf 
openSUSE Tumbleweed uses /etc/ssl/openssl-1_1.cnf to make the migration
to openssl 3 possible.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911

I propose this patch for at least 3.1 and master, ideally for all branches (as long as it can easily be merged)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/984
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f223ed063e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-25 17:06:33 -08:00
Christian Boltz
925ccfe482 Merge Backport Recent Python Bugfixes to 3.1 
This MR backports bugfixes from !985, bringing them from `master` to `apparmor-3.1`.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/986
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2023-02-24 20:21:00 +00:00
Georgia Garcia
dc4b38acf0 libapparmor: add support for class in logparsing 
We want to use the class field to identify operations such as
posix_mqueue

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 5cc7a26e78)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-24 04:09:12 -08:00
Georgia Garcia
9f25b5f6ff libapparmor: add support for requested and denied on logparsing 
In order to decrease the number of characters in the audit logs
from the kernel, we will drop the "_mask" from the fields
"requested_mask" and "denied_mask".

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit a05c9483f3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-24 04:08:57 -08:00
Mark Grassi
6e2eabd424 Fix AttributeError caused by Python 3 migration 
(cherry picked from commit cc7f8fb4d6)
 2023-02-23 22:39:28 -05:00
Mark Grassi
c8ce78e00c Replace mutable default arguments in utils 
(cherry picked from commit 2742d1f1ee)
 2023-02-23 22:39:25 -05:00
Mark Grassi
7526ba4b0a Add missing comma to tuple 
(cherry picked from commit 2be41315e7)
 2023-02-23 22:39:21 -05:00
Mark Grassi
0eaf6d3649 Replace mutable default arguments in tests 
(cherry picked from commit 14e01b5d73)
 2023-02-23 22:39:17 -05:00
Christian Boltz
e44e9187ae Merge abstractioms/nvidia: add new cache directory 
Some applications (like Firefox or Steam, but for some reason not
glxgears) now writes to ~/.cache/nvidia/*:

```
type=AVC msg=audit(1676115846.764:605): apparmor="DENIED" operation="open" profile="firefox" name="/home/vincas/.cache/nvidia/GLCache/2c0cfcdab4d7b05f8130d8f
ba8838943/ec9a05ca3988cfd1/1fee83e04c0ea4d8.toc" pid=26827 comm="firefox" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="v
incas"
```

```
type=AVC msg=audit(1676134465.264:2166): apparmor="DENIED" operation="open" profile="steam" name="/home/vincas/.cache/nvidia/GLCache/95f6d95b1adf9af310bc94af5f19e509/6b24ef0587ddc7e4/23b502f99abb563c.toc" pid=56082 comm="steam" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="vincas"
```

Update nvidia abstraction to allow create caches in .cache subdirectory.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/982
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d713f75086)

15b92cd2 abstractioms/nvidia: add new cache directory
 2023-02-16 17:41:49 +00:00
Christian Boltz
677051bd02 Merge nvidia_modprobe: update for driver families and /sys path 
Debian have split NVIDIA drivers into current, tesla and legacy:

```
$ apt-file search /etc/nvidia/ | grep -P -o -e
"(?<=/etc/nvidia/).[^/]*/" | sort -u
current/
current-open/
legacy-340xx/
legacy-390xx/
tesla/
tesla-418/
tesla-450/
tesla-460/
tesla-470/
tesla-510/
```

These paths are used by nvidia_modprobe -> kmod:

```
type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
```

Also, additional /sys path is accessed:

```
type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
```

Update nvidia_modprobe profile to this these denials.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/983
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 94d2faab71)

8e50c351 nvidia_modprobe: update for driver families and /sys path
 2023-02-14 18:39:27 +00:00
John Johansen
21ca572de6 Merge postfix-tlsmgr: allow reading openssl.cnf 
Seen/needed on openSUSE Tumbleweed

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/981
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3e89b4aab2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-09 00:17:43 -08:00
John Johansen
6c240a473b Merge avahi-daemon needs attach_disconnected 
... for var/lib/nscd/passwd and var/lib/nscd/group

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/960
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2c72dd5541)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-03 21:27:10 -08:00
John Johansen
eec9086ecf Merge [3.1] firefox.sh: Adjust local include to match master 
The local include in firefox.sh was just added today. Change it to the
value we have in master (as soon as !975 gets accepted).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/976
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2023-02-02 18:16:03 +00:00
John Johansen
81d8af7c13 Merge nscd: allow using systemd-userdb 
If systemd-userdb is used to configure some users, nscd needs to read
the userdb files.

See also https://www.freedesktop.org/software/systemd/man/nss-systemd.html
for the list of possible filenames (and symlinks).

Fixes: http://bugzilla.opensuse.org/show_bug.cgi?id=1207698

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/977
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5df8da3c37)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:56:03 -08:00
John Johansen
a9bea8a377 Merge Fix mode not being printed when debugging AF_UNIX socket rules. 
This was due to the values being defined in both af_unix and af_rule leaving the latter values unset.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/979
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit da7d3a2101)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:50:55 -08:00
Georgia Garcia
3aa895073a Merge Fix spacing when printing out AF_UNIX addresses 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/978
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 608560ee43)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:50:37 -08:00
Christian Boltz
dcf7e9a0d5 firefox.sh: Adjust local include to match master 
The local include in firefox.sh was just added today. Change it to the
value we have in master (as soon as MR 975 gets accepted).
 2023-01-30 12:11:21 +01:00
Christian Boltz
57fec9624d Merge Ensure all profiles in extras/ have optional local include + comment 
Recently got bitten by `usr.sbin.lighttpd` not having the local include, so I figured I'd bring all the `extras/` profiles up to parity.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/974
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 8895e00ef1)

d0e32a32 Ensure all profiles in extras/ have optional local include + comment
 2023-01-30 10:16:20 +00:00
John Johansen
aee9bf56c0 Merge libapparmor: add scanner support for dbus method 
In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs.
So we are adding support to parse "method" the same way as "member" on D-Bus audit logs.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a96fa35bd5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-25 13:08:31 -08:00
John Johansen
0295fadab3 Merge add dbus-broker support on regression tests 
dbus-broker requires some modification of the test suite. In summary:

* refactor to support starting and stopping both dbus and dbus-broker.
* Make it so we can run the tests on each, where appropriate
* skip unrequested reply and eavesdrop tests for dbus broker because they are not supported.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/965
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 223036d952)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-24 16:39:44 -08:00
John Johansen
5bc35342ed Merge Fix: Opening links with Brave 
Resolves #292.

This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.

Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```

In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```

I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.

If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21  capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024).

Closes #292
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 5fd8c25745)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-24 16:32:30 -08:00
John Johansen
6cc9160246 Merge Extend crypto and ssl_certs abstractions 
- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny

I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit bb30df7843)

d15bfa99 Extend crypto and ssl_certs abstractions
 2023-01-24 23:10:21 +00:00
Christian Boltz
5452053f5b Merge Add pipewire client.conf to audio abstractions 
Fixes: https://bugs.launchpad.net/bugs/2003702

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/970
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit dedb5d94cb)

b5a7641d Add pipewire client.conf to audio abstractions
 2023-01-23 20:35:14 +00:00
Christian Boltz
da906cda8c Merge profiles: dnsmasq: add Waydroid pid file 
Waydroid uses LXC and some lxc-net equivalent scripts. Allow that.

b910c89174/data/scripts/waydroid-net.sh
https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/969
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d61ccafcb3)

977e45c1 profiles: dnsmasq: add Waydroid pid file
 2023-01-22 18:11:28 +00:00
John Johansen
a19754f52f Merge regression tests: fix bogon patch characters in Makefile 
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.

Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.

Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/963
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f0bc1a89a4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 16:45:22 -08:00
John Johansen
379a486b87 Merge aa-status: Fix malformed json output with unconfined processes 
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/964
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit dfc9847f89)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 09:33:59 -08:00
Georgia Garcia
5ad91d482d Merge log parsing fixes 
small fixes on log parsing

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 4f2d2a8cab)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-12-16 16:55:31 -03:00
John Johansen
19bbc5dfc3 Merge parser: Fix invalid reference to transitions when building the chfa 
States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.

This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.

Fixes: 16b67ddbd ("add ability to use out of band transitions"
Closes: https://gitlab.com/apparmor/apparmor/-/issues/290
Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #290
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/956
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit a7bce9be98)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-12-09 23:03:54 -08:00
John Johansen
66cb0ed739 Merge smbd: allow reading /var/lib/nscd/netgroup 
(reported on the opensuse-factory mailinglist)

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/948
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ba01d479e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-29 12:56:21 -08:00
Christian Boltz
d179a704e7 Merge abstractions/nvidia: allow reading @{pid}/comm 
On Debian Sid, NVIDIA driver spams log with:

```
type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/21222/comm" pid=21222
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED"
operation="open" profile="skypeforlinux" name="/proc/19851/comm"
pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

Read is initiated within libnvidia-glcore.so:

```
Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
41	in ../sysdeps/unix/sysv/linux/open64.c
$27 = 0x7fb742adbb50 "/proc/self/comm"
0  0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
1  0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188
2  0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280
3  0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75
4  0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
5  0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
6  0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
7  0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
8  0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
9  0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
10 0x000000000000001d in ?? ()
11 0x00005579518975f0 in ?? ()
12 0x0000000000000001 in ?? ()
13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
14 0x00005579518975f0 in ?? ()
15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56
16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26
17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117
18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182
19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808
20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884
22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56
23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227
25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138
26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71
27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81
28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0
31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so
36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317
37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849
38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5
40 0x0000557950f1d597 in main ()
```

Add read rule to allow reading @{pid}/comm.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/954
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 2597fd5db8)

948cbb56 abstractions/nvidia: allow reading @{pid}/comm
 2022-11-27 13:06:48 +00:00
Christian Boltz
4244737f65 Merge lsb_release: allow cat and cut 
lsb_release fails on Debian Sid:

```
$ sudo aa-exec -p lsb_release lsb_release
/usr/bin/lsb_release: 70: cut: Permission denied
/usr/bin/lsb_release: 70: cut: Permission denied
```

```
$ sudo aa-exec -p lsb_release lsb_release -h
/usr/bin/lsb_release: 11: cat: Permission denied
```

```
type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

```
type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

Update profile to allow lsb_release script to invoke required
executables.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/953
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 495f68c797)

f596a176 lsb_release: allow cat and cut
 2022-11-27 13:00:19 +00:00
Christian Boltz
e617f04681 Merge Include profile name in error message on directory exec 
... to make the error message more helpful.

Inspired by https://gitlab.com/apparmor/apparmor/-/issues/285

I propose this patch for 3.1 and master.
(3.0 uses a different variable name - if we want it there, it needs a slightly different patch.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/949
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit dd5a6c2e0a)

ef5c4b50 Include profile name in error message on directory exec
 2022-11-21 12:59:51 +00:00
Christian Boltz
9d826aae65 Merge Catch PermissionError when trying to write a profile 
... and re-raise it as AppArmorException so that only the actual error
(without a backtrace) gets displayed.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/282

I propose this patch for 3.0..master.

Closes #282
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/946
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 50074a3c01)

d0ec2aca Catch PermissionError when trying to write a profile
 2022-11-15 20:46:12 +00:00
Christian Ehrhardt
465c861b02 Allow access to possible cpus for glibc-2.36 
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.

That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.

  apparmor="DENIED" operation="open" class="file" ...
  name="/sys/devices/system/cpu/possible" ...
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.

Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c159d0925a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-14 21:47:18 -08:00
John Johansen
dc85d04805 Merge Adds WSL programmatic management of /etc/resolv.conf. 
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 8fa77e9e6c)

5232eaa2 Adds /mnt/wsl/resolv.conf to nameservices.
 2022-11-08 18:13:57 +00:00
John Johansen
a40923006c Merge Allow reading /sys/devices/system/cpu/possible 
... in the dnsmasq//libvirt_leaseshelper profile

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849

I propose this patch for 3.0, 3.1 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/917
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 37f0f77425)

ace8e044 Allow reading /sys/devices/system/cpu/possible
 2022-11-08 18:11:23 +00:00
John Johansen
1fe80c0f85 Prepare for AppArmor 3.1.2 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-07 10:44:48 -08:00
John Johansen
8043dda3f6 Merge Hardcode and check the expected libapparmor.so name/number 
... to prevent wrong/unexpected numbering (like
https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases.

I propose this patch for master and 3.1.

Backporting to 3.0 and 2.x might also make sense, but of course needs a different .so number.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/915
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bed1471144)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:08:56 -07:00
John Johansen
e95080e140 Merge libapparmor: allow parsing of logs with 0x1d + uppercase items 
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.

Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271

Also add one of the log lines from #271 as test_multi test case.

I propose this patch for 3.0..master.

Closes #271
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 0d61139e2a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:06:30 -07:00
John Johansen
45125cedd3 Merge syslog-ng: allow reading *.journal in flatter directory structure 
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2022-10-28 05:56:57 -07:00
Christian Boltz
969a8f7618 Merge samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572

I propose this fix for 3.0..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/937
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit fab4b4e762)

6920daea samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/
 2022-10-27 22:34:12 +00:00
Christian Boltz
770b8f1e88 Merge abstactions/kde: update for kwinrc, kdedefaults/* files 
GUI applications such as KDE dragon player, qTox, LibreOffice tries to
access .config/kwinrc, .config/kdedefaults/kwinrc and
.config/kdedefaults/kdeglobals.

Update abstractions/kde to fix denials for applications running under
KDE.

Some examples:
```
type=AVC msg=audit(1666458796.112:5561): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666458796.204:5683): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kwinrc" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```
```
type=AVC msg=audit(1666462415.255:3640): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666462415.343:3641): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kwinrc" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1666459466.968:5852): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6057): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6058): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/936
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 18d1b06b0c)

d9dc0b61 abstactions/kde: update for kwinrc, kdedefaults/* files
 2022-10-22 19:28:38 +00:00
Christian Boltz
3345250f72 Merge parser: fix DISTRO variable in Makefile 
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.

Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 05d7bdd655)

1df547ee parser: fix DISTRO variable in Makefile
 2022-10-07 19:54:08 +00:00
John Johansen
51cf0848c7 Merge profiles/apparmor.d: Update samba profile 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/926
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit e1cc90f3a2)

96aff5a5 profiles/apparmor.d: Update samba profile
 2022-10-01 10:20:32 +00:00
Christian Boltz
e0c0a6a6a5 Merge Prevent crash on log entries for non-existing profile 
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.

Reproducer (crashes without this patch):

    aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')

I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit f5594fbb7c)

94c7c79c Prevent crash on log entries for non-existing profile
 2022-08-29 19:56:17 +00:00
Steve Beattie
ea127f13cd common/Version: bump version for 3.1.1 release 
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
 2022-08-26 23:35:24 -07:00
Christian Boltz
480cb56553 Merge profiles: permit php-fpm pid files directly under run/ 
The upstream php-fpm.conf file carries the following pid file example
path:
  [global]
  ; Pid file
  ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
  ; Default Value: none
  ;pid = run/php-fpm.pid

Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267

Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>

Closes #267
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d024100efe)

d8533ec8 profiles: permit php-fpm pid files directly under run/
 2022-08-26 10:36:11 +00:00
Georgia Garcia
075c69a4eb Merge [3.1] libapparmor: fix mistaken SO version bump 
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:

  libapparmor.so.4.9.0

This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:

  libapparmor.so.1.12.0

and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.

In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.

Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/913
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-08-25 20:10:30 +00:00
Steve Beattie
f9dbaa38ec [3.1] libapparmor: fix mistaken SO version bump 
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:

  libapparmor.so.4.9.0

This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:

  libapparmor.so.1.12.0

and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.

In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.

Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266
 2022-08-25 11:55:42 -07:00
1420 changed files with 10139 additions and 49958 deletions
Expand all files Collapse all files

86
.gitignore vendored
View File

@@ -1,4 +1,4 @@
apparmor-
apparmor-*
cscope.*
binutils/aa-enabled
binutils/aa-enabled.1
@@ -6,29 +6,15 @@ binutils/aa-exec
binutils/aa-exec.1
binutils/aa-features-abi
binutils/aa-features-abi.1
binutils/aa-load
binutils/aa-load.8
binutils/aa-status
binutils/aa-status.8
binutils/cJSON.o
binutils/po/*.mo
changehat/mod_apparmor/.libs
changehat/mod_apparmor/mod_apparmor.8
changehat/mod_apparmor/mod_apparmor.8.html
changehat/mod_apparmor/mod_apparmor.la
changehat/mod_apparmor/mod_apparmor.lo
changehat/mod_apparmor/mod_apparmor.slo
changehat/mod_apparmor/mod_apparmor.so
changehat/mod_apparmor/pod2htmd.tmp
changehat/pam_apparmor/get_options.o
changehat/pam_apparmor/pam_apparmor.o
changehat/pam_apparmor/pam_apparmor.so
parser/po/*.mo
parser/af_names.h
parser/cap_names.h
parser/generated_cap_names.h
parser/generated_af_names.h
parser/errnos.h
parser/tst_lib
parser/tst_misc
parser/tst_regex
@@ -40,9 +26,38 @@ parser/parser_version.h
parser/parser_yacc.c
parser/parser_yacc.h
parser/pod2htm*.tmp
parser/libapparmor_re/*.o
parser/af_rule.o
parser/af_unix.o
parser/common_optarg.o
parser/dbus.o
parser/default_features.o
parser/lib.o
parser/libapparmor_re/aare_rules.o
parser/libapparmor_re/chfa.o
parser/libapparmor_re/expr-tree.o
parser/libapparmor_re/hfa.o
parser/libapparmor_re/libapparmor_re.a
parser/*.o
parser/libapparmor_re/parse.o
parser/mount.o
parser/network.o
parser/parser_alias.o
parser/parser_common.o
parser/parser_include.o
parser/parser_interface.o
parser/parser_lex.o
parser/parser_main.o
parser/parser_merge.o
parser/parser_misc.o
parser/parser_policy.o
parser/parser_regex.o
parser/parser_symtab.o
parser/parser_variable.o
parser/parser_yacc.o
parser/policy_cache.o
parser/profile.o
parser/ptrace.o
parser/rule.o
parser/signal.o
parser/*.7
parser/*.5
parser/*.8
@@ -121,18 +136,6 @@ libraries/libapparmor/src/tst_aalogmisc
libraries/libapparmor/src/tst_aalogmisc.log
libraries/libapparmor/src/tst_aalogmisc.o
libraries/libapparmor/src/tst_aalogmisc.trs
libraries/libapparmor/src/tst_aalogparse_cpp
libraries/libapparmor/src/tst_aalogparse_cpp.log
libraries/libapparmor/src/tst_aalogparse_cpp.o
libraries/libapparmor/src/tst_aalogparse_cpp.trs
libraries/libapparmor/src/tst_aalogparse_reentrancy
libraries/libapparmor/src/tst_aalogparse_reentrancy.log
libraries/libapparmor/src/tst_aalogparse_reentrancy.o
libraries/libapparmor/src/tst_aalogparse_reentrancy.trs
libraries/libapparmor/src/tst_aalogparse_oldname
libraries/libapparmor/src/tst_aalogparse_oldname.log
libraries/libapparmor/src/tst_aalogparse_oldname.o
libraries/libapparmor/src/tst_aalogparse_oldname.trs
libraries/libapparmor/src/tst_features
libraries/libapparmor/src/tst_features.log
libraries/libapparmor/src/tst_features.o
@@ -193,6 +196,7 @@ libraries/libapparmor/testsuite/libaalogparse.test/Makefile
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
libraries/libapparmor/testsuite/test_multi/out
libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
changehat/mod_apparmor/.libs
utils/*.8
utils/*.8.html
utils/*.5
@@ -203,7 +207,6 @@ utils/apparmor/*.pyc
utils/apparmor/rule/*.pyc
utils/apparmor.egg-info/
utils/build/
!utils/emacs/apparmor-mode.el
utils/htmlcov/
utils/test/common_test.pyc
utils/test/.coverage
@@ -232,7 +235,6 @@ tests/regression/apparmor/chgrp
tests/regression/apparmor/chmod
tests/regression/apparmor/chown
tests/regression/apparmor/clone
tests/regression/apparmor/complain
tests/regression/apparmor/dbus_eavesdrop
tests/regression/apparmor/dbus_message
tests/regression/apparmor/dbus_service
@@ -251,23 +253,17 @@ tests/regression/apparmor/fd_inheritance
tests/regression/apparmor/fd_inheritor
tests/regression/apparmor/fork
tests/regression/apparmor/introspect
tests/regression/apparmor/io_uring
tests/regression/apparmor/link
tests/regression/apparmor/link_subset
tests/regression/apparmor/mkdir
tests/regression/apparmor/mmap
tests/regression/apparmor/mount
tests/regression/apparmor/move_mount
tests/regression/apparmor/named_pipe
tests/regression/apparmor/net_inet_rcv
tests/regression/apparmor/net_inet_snd
tests/regression/apparmor/net_raw
tests/regression/apparmor/open
tests/regression/apparmor/openat
tests/regression/apparmor/pipe
tests/regression/apparmor/pivot_root
tests/regression/apparmor/posix_mq_rcv
tests/regression/apparmor/posix_mq_snd
tests/regression/apparmor/ptrace
tests/regression/apparmor/ptrace_helper
tests/regression/apparmor/pwrite
@@ -291,8 +287,6 @@ tests/regression/apparmor/syscall_setpriority
tests/regression/apparmor/syscall_setscheduler
tests/regression/apparmor/syscall_sysctl
tests/regression/apparmor/sysctl_proc
tests/regression/apparmor/sysv_mq_rcv
tests/regression/apparmor/sysv_mq_snd
tests/regression/apparmor/tcp
tests/regression/apparmor/transition
tests/regression/apparmor/unix_fd_client
@@ -300,23 +294,9 @@ tests/regression/apparmor/unix_fd_server
tests/regression/apparmor/unix_socket
tests/regression/apparmor/unix_socket_client
tests/regression/apparmor/unlink
tests/regression/apparmor/userns
tests/regression/apparmor/userns_setns
tests/regression/apparmor/uservars.inc
tests/regression/apparmor/xattrs
tests/regression/apparmor/xattrs_profile
tests/regression/apparmor/coredump
**/__pycache__/
*.orig
# Patterns related to spread integration tests
*.img
*.iso
*.lock
*.log
*.qcow2
*.run
.spread-reuse.yaml
.spread-reuse.*.yaml
spread-artifacts/
spread-logs/

261
.gitlab-ci.yml
View File

@@ -1,51 +1,28 @@
spec:
inputs:
build-test-images:
default: false
type: boolean
description: Explicitly build virtual machine images used by integration tests.
---
image: ubuntu:latest
# XXX - add a deploy stage to publish man pages, docs, and coverage
# reports
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_BRANCH
stages:
- build
- test
- spread
.ubuntu-common:
interruptible: true
.ubuntu-before_script:
before_script:
# Install build-dependencies by loading the package list from the ubuntu/debian cloud-init profile.
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_deps "Installing dependencies..."
- export DEBIAN_FRONTEND=noninteractive
- apt-get update -qq
- apt-get install --yes yq make lsb-release
- |
printf 'include .image-garden.mk\n$(info $(UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE))\n.PHONY: nothing\nnothing:\n' \
| make -f - nothing \
| yq '.packages | .[]' \
| xargs apt-get install --yes --no-install-recommends
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_deps
after_script:
# Inspect the kernel and lsb-release.
- apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
- lsb_release -a
- uname -a
.install-c-build-deps: &install-c-build-deps
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
build-all:
stage: build
extends:
- .ubuntu-common
script:
# Run the spread prepare section to build everything.
- yq -r '.prepare' <spread.yaml | SPREAD_PATH=. bash -xeu
- .ubuntu-before_script
artifacts:
name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
expire_in: 30 days
@@ -58,33 +35,39 @@ build-all:
- changehat/mod_apparmor/
- changehat/pam_apparmor/
- profiles/
script:
- *install-c-build-deps
- cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
- make -C parser
- make -C binutils
- make -C utils
- make -C changehat/mod_apparmor
- make -C changehat/pam_apparmor
- make -C profiles
test-libapparmor:
stage: test
needs: ["build-all"]
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
# This is to touch the built files in the test stage to avoid needless rebuilding
- make -C libraries/libapparmor --touch
- *install-c-build-deps
- make -C libraries/libapparmor check
test-parser:
stage: test
needs: ["build-all"]
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
# This is to touch the built files in the test stage to avoid needless rebuilding
- make -C parser --touch
- make -C parser -j $(nproc) tst_binaries
- *install-c-build-deps
- make -C parser check
test-binutils:
stage: test
needs: ["build-all"]
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
- make -C binutils check
@@ -92,16 +75,9 @@ test-utils:
stage: test
needs: ["build-all"]
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
# This is to touch the built files in the test stage to avoid needless rebuilding
- make -C utils --touch
# TODO: move those to cloud-init list?
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
# See apparmor/apparmor#221
- make -C parser/tst gen_dbus
- make -C parser/tst gen_xtrans
@@ -116,37 +92,30 @@ test-mod-apparmor:
stage: test
needs: ["build-all"]
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
# This is to touch the built files in the test stage to avoid needless rebuilding
- make -C changehat/mod_apparmor --touch
- make -C changehat/mod_apparmor check
test-profiles:
stage: test
needs: ["build-all"]
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
# This is to touch the built files in the test stage to avoid needless rebuilding
- make -C profiles --touch
- make -C profiles check-parser
- make -C profiles check-abstractions.d
- make -C profiles check-local
shellcheck:
stage: test
needs: []
extends:
- .ubuntu-common
- .ubuntu-before_script
script:
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
- apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
- shellcheck --version
- "./tests/bin/shellcheck-tree --format=checkstyle
| xmlstarlet tr tests/checkstyle2junit.xslt
> shellcheck.xml"
- apt-get install --no-install-recommends -y file shellcheck xmlstarlet
- shellcheck --version
- './tests/bin/shellcheck-tree --format=checkstyle
| xmlstarlet tr tests/checkstyle2junit.xslt
> shellcheck.xml'
artifacts:
when: always
reports:
@@ -167,171 +136,3 @@ include:
variables:
SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
coverity:
stage: .post
interruptible: true
extends:
- .ubuntu-common
script:
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
- apt-get install --no-install-recommends -y curl git texlive-latex-recommended
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
- curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
--form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
- tar xfz /tmp/cov-analysis-linux64.tgz
- COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
- PATH=$PATH:$(pwd)/$COV_VERSION/bin
- make coverity
- curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
--form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
--form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
--form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
artifacts:
paths:
- "apparmor-*.tar.gz"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"
.image-garden-x86_64:
stage: spread
interruptible: true
# TODO: use tagged release once container tagging is improved upstream.
image: registry.gitlab.com/zygoon/image-garden:latest
tags:
- linux
- x86_64
- kvm
variables:
ARCH: x86_64
GARDEN_DL_DIR: dl
CACHE_POLICY: pull-push
CACHE_COMPRESSION_LEVEL: fastest
before_script:
# Restore the mtime of the .image-garden.mk file. This helps make determine
# if there's actually something to do correctly. Git does not preserve the
# mtime of files during checkout.
- git restore-mtime .image-garden.mk
# Prepare the image in dry-run mode. This helps in debugging cache misses
# when files are not cached correctly by the runner, causing the build section
# below to always do hevy-duty work.
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
- image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
script:
# Prepare the image, for real.
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image "Prepare image"
# If there's nothing to do then remove all the files that we would normally
# cache so that GitLab skips the cache upload step. This saves significant
# time required to re-compress and upload unchanged content.
# The idea for how to do is is documented at
# https://olex.biz/2025/04/gitlab-ci-prevent-cache-reupload-without-changes/
# The GitLab issue requesting a proper feature is
# https://gitlab.com/gitlab-org/gitlab/-/issues/226068
- |
if image-garden make --question "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"; then
rm -f "$GARDEN_SYSTEM".* efi-code.*.img efi-vars.*.img
rm -rf "$GARDEN_DL_DIR"
else
image-garden make "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
fi
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image
cache:
# Cache the base image (pre-customization).
- key: image-garden-base-${GARDEN_SYSTEM}.${ARCH}
policy: $CACHE_POLICY
when: always
paths:
- $GARDEN_DL_DIR
# Those are never mutated so they are safe to share.
- efi-code.*.img
- efi-vars.*.img
# Cache the customized system. This cache depends on .image-garden.mk file
# so that any customization updates are immediately acted upon.
- key:
prefix: image-garden-custom-${GARDEN_SYSTEM}.${ARCH}-
files:
- .image-garden.mk
policy: $CACHE_POLICY
when: always
paths:
- $GARDEN_SYSTEM.*
- $GARDEN_SYSTEM.seed.iso
- $GARDEN_SYSTEM.meta-data
- $GARDEN_SYSTEM.user-data
# This job builds and caches the image that the job below looks at.
image-ubuntu-cloud-24.04-x86_64:
extends: .image-garden-x86_64
variables:
GARDEN_SYSTEM: ubuntu-cloud-24.04
needs: []
dependencies: []
rules:
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
changes:
paths:
- .image-garden.mk
- .gitlab-ci.yml
compare_to: "refs/heads/master"
- if: $CI_COMMIT_BRANCH && "$[[ inputs.build-test-images ]]" == "true"
.spread-x86_64:
extends: .image-garden-x86_64
variables:
# GitLab project identifier of zygoon/spread-dist can be seen on
# https://gitlab.com/zygoon/spread-dist, under the three-dot menu on
# top-right.
SPREAD_GITLAB_PROJECT_ID: "65375371"
# Git revision of spread to install.
# This must have been built via spread-dist.
# TODO: switch to upstream 1.0 release when available.
SPREAD_REV: 413817eda7bec07a3885e0717c178b965f8924e1
# Run all the tasks for a given system.
SPREAD_ARGS: "garden:$GARDEN_SYSTEM:"
SPREAD_GOARCH: amd64
before_script:
# Restore the mtime of the .image-garden.mk file. This helps make determine
# if there's actually something to do correctly. Git does not preserve the
# mtime of files during checkout.
- git restore-mtime .image-garden.mk
# Prepare the image in dry-run mode. This helps in debugging cache misses
# when files are not cached correctly by the runner, causing the build section
# below to always do hevy-duty work.
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
- image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
- stat .image-garden.mk "$GARDEN_SYSTEM".* || true
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
# Install the selected revision of spread.
- printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_spread "Installing spread..."
# Install pre-built spread from https://gitlab.com/zygoon/spread-dist generic package repository.
- |
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --location --output spread "${CI_API_V4_URL}/projects/${SPREAD_GITLAB_PROJECT_ID}/packages/generic/spread/${SPREAD_REV}/spread.${SPREAD_GOARCH}"
- chmod +x spread
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_spread
script:
- printf '\e[0K%s:%s:%s\r\e[0K%s\n' section_start "$(date +%s)" run_spread "Running spread for $GARDEN_SYSTEM..."
# TODO: transform to inject ^...$ to properly select jobs to run.
- mkdir -p spread-logs spread-artifacts
- ./spread -list $SPREAD_ARGS |
split --number=l/"${CI_NODE_INDEX:-1}"/"${CI_NODE_TOTAL:-1}" |
xargs --verbose ./spread -v -artifacts ./spread-artifacts -v | tee spread-logs/"$GARDEN_SYSTEM".log
- printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" run_spread
artifacts:
paths:
- spread-logs
- spread-artifacts
when: always
spread-ubuntu-cloud-24.04-x86_64:
extends: .spread-x86_64
variables:
GARDEN_SYSTEM: ubuntu-cloud-24.04
SPREAD_ARGS: garden:$GARDEN_SYSTEM:tests/regression/ garden:$GARDEN_SYSTEM:tests/profiles/
CACHE_POLICY: pull
dependencies: []
needs:
- job: image-ubuntu-cloud-24.04-x86_64
optional: true
parallel: 4

128
.image-garden.mk
View File

@@ -1,128 +0,0 @@
# This file is read by image-garden when spread is allocating test machines.
# All the package installation happens through cloud-init profiles defined
# below.
# NOTE: Should the kernel be out of date, just increment this value. Make will
# re-create the image whenever the .image-garden.mk file is more recent than
# the image itself. In reality all you need is touch(1), but this is more apt.
unused=1
# This is the cloud-init user-data profile for all Debian systems. Note that it
# is an extension of the default profile necessary for operation of
# image-garden.
define DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE
$(CLOUD_INIT_USER_DATA_TEMPLATE)
packages:
- apache2-dev
- attr
- autoconf
- autoconf-archive
- automake
- bison
- build-essential
- dejagnu
- dosfstools
- flake8
- flex
- fuse-overlayfs
- gdb
- gettext
- libdbus-1-dev
- libpam0g-dev
- libtool
- liburing-dev
- pkg-config
- python3-all-dev
- python3-gi
- python3-notify2
- python3-psutil
- python3-setuptools
- python3-tk
- python3-ttkthemes
- swig
- toybox
# Update all the packages. This allows us to be on the up-to-date kernel
# version that we cannot otherwise easily select with cloud init alone. Note
# that we do not need to reboot the system as image garden shuts down the image
# after first boot. On subsequent boot we will be running the latest kernel.
package_upgrade: true
package_update: true
endef
# Ubuntu shares cloud-init profile with Debian.
UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE=$(DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE)
# This is the cloud-init user-data profile for openSUSE Tumbleweed.
define OPENSUSE_tumbleweed_CLOUD_INIT_USER_DATA_TEMPLATE
$(CLOUD_INIT_USER_DATA_TEMPLATE)
- sed -i -e 's/security=selinux/security=apparmor/g' /etc/default/grub
- update-bootloader
packages:
- apache2-devel
- attr
- autoconf
- autoconf-archive
- automake
- bison
- dbus-1-devel
- dejagnu
- dosfstools
- flex
- fuse-overlayfs
- gcc
- gcc-c++
- gdb
- gettext
- gobject-introspection
- libtool
- liburing2-devel
- make
- pam-devel
- pkg-config
- python3-devel
- python3-flake8
- python3-notify2
- python3-psutil
- python3-setuptools
- python3-setuptools
- python3-tk
- python311
- python311-devel
- swig
- which
# See above for rationale.
package_upgrade: true
package_update: true
endef
define FEDORA_CLOUD_INIT_USER_DATA_TEMPLATE
$(CLOUD_INIT_USER_DATA_TEMPLATE)
packages:
- attr
- autoconf
- autoconf-archive
- automake
- bison
- dbus-devel
- dejagnu
- dosfstools
- flex
- gdb
- gettext
- httpd-devel
- libstdc++-static
- libtool
- liburing-devel
- pam-devel
- perl
- pkg-config
- python3-devel
- python3-flake8
- python3-gobject-base
- python3-notify2
- python3-tkinter
- swig
# See above for rationale.
package_upgrade: true
package_update: true
endef

2
Makefile
View File

@@ -59,7 +59,7 @@ coverity: snapshot
mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
cov-build --dir $(COVERITY_DIR) -- sh -c \
"$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
$(MAKE) -j $$(nproc) -C $(SNAPSHOT_NAME)/$(dir);) "
$(MAKE) -C $(SNAPSHOT_NAME)/$(dir);) "
tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
.PHONY: export_dir

47
README.md
View File

@@ -181,9 +181,6 @@ $ make check # depends on the parser having been built first
$ make install
```
Note that the empty local/* profile sniplets no longer get created by default.
If you want them, run `make local` before running `make check`.
[Note that for the parser, binutils, and utils, if you only wish to build/use
some of the locale languages, you can override the default by passing
the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
@@ -197,46 +194,6 @@ usage and how to update and add tests. Below is a quick overview of their
location and how to run them.
Using spread with local virtual machines
----------------------------------------
It may be convenient to use the spread tool to provision and run the test suite
in an ephemeral virtual machine. This allows testing in isolation from the
host, as well as testing across different commonly used distributions and their
real kernels.
Image Garden is available as a snap. If you wish to use it this way then snap
then install the snap with:
```sh
sudo snap install image-garden
```
If you need to install snapd first, see https://snapcraft.io/docs/installing-snapd
Alternatively you may build image-garden and spread from source, and install
dependencies manually.
```sh
sudo apt install git golang whois ovmf genisoimage qemu-utils qemu-system
go install github.com/snapcore/spread/cmd/spread@latest
git clone https://gitlab.com/zygoon/image-garden
make -C image-garden
sudo make -C image-garden install
image-garden make ubuntu-cloud-24.10.x86_64.run
cd $APPARMOR_PATH
git clean -xdf
~/go/bin/spread -artifacts ./spread-artifacts -v ubuntu-cloud-24.10
# or ~/go/bin/spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
```
Running the `run_spread.sh` script, with `image-garden` snap installed or with
`spread` on `PATH` will run all the tests across several supported systems
(Debian, Ubuntu and openSUSE).
If you include a `bzImage` file in the root of the repository then that kernel
will be used in the integration test. Please look at `spread.yaml` for details.
Regression tests
----------------
For details on structure and adding tests, see
@@ -394,10 +351,6 @@ The aa-notify tool's Python dependencies can be satisfied by installing the
following packages (Debian package names, other distros may vary):
* python3-notify2
* python3-psutil
* python3-sqlite (part of the python3.NN-stdlib package)
* python3-tk
* python3-ttkthemes
* python3-gi
Perl is no longer needed since none of the utilities shipped to end users depend
on it anymore.

9
binutils/Makefile
View File

@@ -21,7 +21,7 @@ DESTDIR=/
BINDIR=${DESTDIR}/usr/bin
SBINDIR=${DESTDIR}/usr/sbin
LOCALEDIR=/usr/share/locale
MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-load.8 aa-status.8
MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-status.8
WARNINGS = -Wall
CPP_WARNINGS =
@@ -48,10 +48,10 @@ endif
# Internationalization support. Define a package and a LOCALEDIR
EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
SRCS = aa_enabled.c aa_load.c
SRCS = aa_enabled.c
HDRS =
BINTOOLS = aa-enabled aa-exec aa-features-abi
SBINTOOLS = aa-status aa-load
SBINTOOLS = aa-status
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
@@ -126,9 +126,6 @@ endif
aa-features-abi: aa_features_abi.c $(LIBAPPARMOR_A)
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
aa-load: aa_load.c $(LIBAPPARMOR_A)
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)

105
binutils/aa-exec.pod
View File

@@ -80,109 +80,6 @@ aa-exec.
=back
=head1 RESTRICTIONS
aa-exec uses I<aa_change_profile(3)> to change application confinement.
The use of I<aa_change_profile(3)> may be restricted by policy in ways
that will cause failure or results different than expected.
Even when using I<aa-exec> from unconfined restrictions in policy can
causes failure or the confinement entered to be different than requested
See the unpriviled unconfined restriction documentation for more detail.
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction
=head1 STACKING
aa-exec can be used to setup a stack of profiles as confinement. When an
application is confined by a stack, all profiles in the stack are checked
as if they were the profile confining the application. The resulting
mediation is the intersection of what is allowed by each profile in the
stack.
The profiles in a stack are treated independently. Each profile can have
its own flags and profile transitions. During an exec each profile gets
to specify its transition and the results brought together to form a
new canonicalized stack.
The profile separator indicating a stack is the character sequence I<//&>.
Thus a stack can be expressed using
=over 4
$ aa-exec -p "unconfined//&firefox" -- bash
$ ps -Z
LABEL PID TTY TIME CMD
unconfined 30714 pts/12 00:00:00 bash
firefox//&unconfined (unconfined) 31160 pts/12 00:00:00 bash
firefox//&unconfined (unconfined) 31171 pts/12 00:00:00 ps
=back
=head1 NAMESPACES
aa-exec can be used to enter confinement in another policy namespace
if the policy namespaces exists, is visible, and the profile exists in
the namespace. Note applications launched within the namespace will
not be able to exit the namespace, and may be restricted by additional
confinement around namespacing. Files and resources visible to the
parent that launches the application may not be visible in the policy
namespace resulting in access denials.
To enter a policy namespace the profile is prefixed with the namespace's
name, using a I<:> prefix and suffix.
Eg.
=over 4
$ aa-exec -p :ex1:unconfined -- bash
$ ps -Z
LABEL PID TTY TIME CMD
- 30714 pts/12 00:00:00 bash
unconfined 34372 pts/12 00:00:00 bash
unconfined 34379 pts/12 00:00:00 ps
=back
Confinement of processes outside of the namespace may not be visible
in which case the confinement will be represented with a -. If policy
is stacked only part of the confinement might be visible. However
confinement is usually fully visible from the parent policy namespace.
Eg. the confinement of the child can be queried in the parent to see
=over 4
$ ps -Z 34372
LABEL PID TTY STAT TIME COMMAND
:ex1:unconfined 34372 pts/12 S+ 0:00 bash
=back
And in the case of stacking with namespaces
=over 4
$ aa-exec -p "unconfined//&:ex1:unconfined" -- bash
$ ps -Z
LABEL PID TTY TIME CMD
- 30714 pts/12 00:00:00 bash
unconfined 36298 pts/12 00:00:00 bash
unconfined 36305 pts/12 00:00:00 ps
=back
while from the parent namespace the full confinement can be seen
=over 4
$ ps -Z 36298
LABEL PID TTY STAT TIME COMMAND
unconfined//&:ex1:unconfined 36298 pts/12 S+ 0:00 bash
=back
=head1 BUGS
If you find any bugs, please report them at
@@ -190,7 +87,7 @@ L<https://gitlab.com/apparmor/apparmor/-/issues>
=head1 SEE ALSO
apparmor(7), apparmor.d(5), aa_change_profile(3),
aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
aa_change_onexec(3) and L<https://wiki.apparmor.net>.
=cut

77
binutils/aa-load.pod
View File

@@ -1,77 +0,0 @@
# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-load - load precompiled AppArmor policy from cache location(s)
=head1 SYNOPSIS
B<aa-load> [options] (cache file|cache dir|cache base dir)+
=head1 DESCRIPTION
B<aa-load> loads precompiled AppArmor policy from the specified locations.
=head1 OPTIONS
B<aa-load> accepts the following arguments:
=over 4
=item -f, --force
Force B<aa-load> to load a policy even if its abi does not match the kernel abi.
=item -d, --debug
Display debug messages.
=item -v, --verbose
Display progress and error messages.
=item -n, --dry-run
Do not actually load the specified policy/policies into the kernel.
=item -h, --help
Display a brief usage guide.
=back
=head1 EXIT STATUS
Upon exiting, B<aa-load> returns 0 upon success and 1 upon an error loading
the precompiled policy.
=head1 BUGS
If you find any bugs, please report them at
L<https://gitlab.com/apparmor/apparmor/-/issues>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), and L<https://wiki.apparmor.net>.
=cut

53
binutils/aa-status.pod
View File

@@ -72,18 +72,11 @@ displays the number of loaded non-enforcing AppArmor policies.
=item --kill
displays the number of loaded enforcing AppArmor policies that will
kill tasks on policy violations.
=item --prompt
displays the number of loaded enforcing AppArmor policies, with
fallback to userspace mediation.
displays the number of loaded enforcing AppArmor policies that will kill tasks on policy violations.
=item --special-unconfined
displays the number of loaded non-enforcing AppArmor policies that are
in the special unconfined mode.
displays the number of loaded non-enforcing AppArmor policies that are in the special unconfined mode.
=item --process-mixed
displays the number of processes confined by profile stacks with
@@ -104,40 +97,6 @@ set in a JSON format, fit for machine consumption.
same as --json, formatted to be readable by humans as well
as by machines.
=item --show
what data sets to show information about. Currently I<processes>,
I<profiles>, I<all> for both processes and profiles. The default is
I<all>.
=item --count
display only counts for selected information.
=item --filter.mode=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes and profiles apparmor profile
mode, reducing the output.
=item --filter.profiles=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes and profiles confining
profile, reducing the output.
=item --filter.pid=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes, so that only processes pids
matching the expression will be displayed.
=item --filter.exe=filter
Allows specifying a posix regular expression filter that will be
applied against the displayed processes, so that only processes
executable name matching the expression will be displayed.
=item --help
displays a short usage statement.
@@ -165,8 +124,7 @@ if apparmor is enabled but no policy is loaded.
=item B<3>
if the apparmor control files aren't available under
/sys/kernel/security/.
if the apparmor control files aren't available under /sys/kernel/security/.
=item B<4>
@@ -182,9 +140,8 @@ if an internal error occurred.
=head1 BUGS
B<aa-status> must be run as root to read the state of the loaded
policy from the apparmor module. It uses the /proc filesystem to
determine which processes are confined and so is susceptible to race
conditions.
policy from the apparmor module. It uses the /proc filesystem to determine
which processes are confined and so is susceptible to race conditions.
If you find any additional bugs, please report them at
L<https://gitlab.com/apparmor/apparmor/-/issues>.

409
binutils/aa_load.c
View File

@@ -1,409 +0,0 @@
/*
* Copyright (C) 2020 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*/
#define _GNU_SOURCE /* for asprintf() */
#include <stdio.h>
#include <errno.h>
#include <getopt.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>
#include <stddef.h>
#include <fcntl.h>
#include <string.h>
#include <dirent.h>
#include <limits.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/apparmor.h>
#include <libintl.h>
#define _(s) gettext(s)
/* TODO: implement config locations - value can change */
#define DEFAULT_CONFIG_LOCATIONS "/etc/apparmor/parser.conf"
#define DEFAULT_POLICY_LOCATIONS "/var/cache/apparmor:/etc/apparmor.d/cache.d:/etc/apparmor.d/cache"
#define CACHE_FEATURES_FILE ".features"
bool opt_debug = false;
bool opt_verbose = false;
bool opt_dryrun = false;
bool opt_force = false;
bool opt_config = false;
#define warning(fmt, args...) _error(_("aa-load: WARN: " fmt "\n"), ## args)
#define error(fmt, args...) _error(_("aa-load: ERROR: " fmt "\n"), ## args)
static void _error(const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
}
#define verbose(fmt, args...) _debug(opt_verbose, _(fmt "\n"), ## args)
#define debug(fmt, args...) _debug(opt_debug, _("aa-load: DEBUG: " fmt "\n"), ## args)
static void _debug(bool opt_displayit, const char *fmt, ...)
{
va_list args;
if (!opt_displayit)
return;
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
}
static int have_enough_privilege(const char *command)
{
uid_t uid, euid;
uid = getuid();
euid = geteuid();
if (uid != 0 && euid != 0) {
error("%s: Sorry. You need root privileges to run this program.\n",
command);
return EPERM;
}
if (uid != 0 && euid == 0) {
error("%s: Aborting! You've set this program setuid root.\n"
"Anybody who can run this program can update "
"your AppArmor profiles.\n", command);
exit(EXIT_FAILURE);
}
return 0;
}
static int load_config(const char *file)
{
/* TODO */
return ENOENT;
}
/**
* load a single policy cache file to the kernel
*/
static int load_policy_file(const char *file)
{
int rc = 0;
struct aa_kernel_interface *kernel_interface;
if (aa_kernel_interface_new(&kernel_interface, NULL, NULL)) {
rc = -errno;
error("Failed to open kernel interface '%s': %m", file);
return rc;
}
if (!opt_dryrun &&
aa_kernel_interface_replace_policy_from_file(kernel_interface,
AT_FDCWD, file)) {
rc = -errno;
error("Failed to load policy into kernel '%s': %m", file);
}
aa_kernel_interface_unref(kernel_interface);
return rc;
}
static void validate_features(const char *dir_path)
{
aa_features *kernel_features;
if (aa_features_new_from_kernel(&kernel_features) == -1) {
error("Failed to obtain features: %m");
return;
}
if (aa_features_check(AT_FDCWD, dir_path, kernel_features) == -1) {
if (errno == ENOENT) {
/* features file does not exist
* not an issue when loading cache policies from dir
*/
}
else if (errno == EEXIST) {
warning("Overlay features do not match kernel features");
}
}
aa_features_unref(kernel_features);
}
/**
* load a directory of policy cache files to the kernel
* This does not do a subdir search to find the kernel match but
* tries to load the dir regardless of whether its features match
*
* The hierarchy looks like
*
* dir/
* .features
* profile1
* ...
*/
static int load_policy_dir(const char *dir_path)
{
DIR *d;
struct dirent *dir;
int rc = 0;
char *file;
size_t len;
validate_features(dir_path);
d = opendir(dir_path);
if (!d) {
rc = -errno;
error("Failed to open directory '%s': %m", dir_path);
return rc;
}
while ((dir = readdir(d)) != NULL) {
/* Only check regular files for now */
if (dir->d_type == DT_REG) {
/* As per POSIX dir->d_name has at most NAME_MAX characters */
len = strnlen(dir->d_name, NAME_MAX);
/* Ignores .features */
if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {
continue;
}
if (asprintf(&file, "%s/%s", dir_path, dir->d_name) == -1) {
error("Failure allocating memory");
closedir(d);
return -1;
}
load_policy_file(file);
free(file);
file = NULL;
}
}
closedir(d);
return 0;
}
/**
* load_hashed_policy - find policy hashed dir and load it
*
* load/replace all policy from a policy hierarchy directory
*
* Returns: 0 on success < -errno
*
* It will find the subdir that matches the kernel and load all
* precompiled policy files from it.
*
* The hierarchy looks something like
*
* location/
* kernel_hash1.0/
* .features
* profile1
* ...
* kernel_hash2.0/
* .features
* profile1
* ...
*/
static int load_policy_by_hash(const char *location)
{
aa_policy_cache *policy_cache = NULL;
int rc;
if ((rc = aa_policy_cache_new(&policy_cache, NULL, AT_FDCWD, location, 0))) {
rc = -errno;
error("Failed to open policy cache '%s': %m", location);
return rc;
}
if (opt_debug) {
/* show hash directory under location that matches the
* current kernel
*/
char *cache_loc = aa_policy_cache_dir_path_preview(NULL, AT_FDCWD, location);
if (!cache_loc) {
rc = -errno;
error("Failed to find cache location '%s': %m", location);
goto out;
}
debug("Loading cache from '%s'\n", cache_loc);
free(cache_loc);
}
if (!opt_dryrun) {
if ((rc = aa_policy_cache_replace_all(policy_cache, NULL)) < 0) {
error("Failed to load policy cache '%s': %m", location);
} else {
verbose("Success - Loaded policy cache '%s'", location);
}
}
out:
aa_policy_cache_unref(policy_cache);
return rc;
}
/**
* load_arg - calls specific load functions for files and directories
*
* load/replace all policy files/dir in arg
*
* Returns: 0 on success, 1 on failure.
*
* It will load by hash subtree first, and fallback to a cache dir
* If not a directory, it will try to load it as a cache file
*/
static int load_arg(char *arg)
{
char **location = NULL;
int i, n, rc = 0;
/* arg can specify an overlay of multiple cache locations */
if ((n = aa_split_overlay_str(arg, &location, 0, true)) == -1) {
error("Failed to parse overlay locations: %m");
return 1;
}
for (i = 0; i < n; i++) {
struct stat st;
debug("Trying to open %s", location[i]);
if (stat(location[i], &st) == -1) {
error("Failed stat of '%s': %m", location[i]);
rc = 1;
continue;
}
if (S_ISDIR(st.st_mode)) {
/* try hash dir subtree first */
if (load_policy_by_hash(location[i]) < 0) {
error("Failed load policy by hash '%s': %m", location[i]);
rc = 1;
}
/* fall back to cache dir */
if (load_policy_dir(location[i]) < 0) {
error("Failed load policy by directory '%s': %m", location[i]);
rc = 1;
}
} else if (load_policy_file(location[i]) < 0) {
rc = 1;
}
}
for (i = 0; i < n; i++)
free(location[i]);
free(location);
return rc;
}
static void print_usage(const char *command)
{
printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)+\n"
"Load precompiled AppArmor policy from cache location(s)\n\n"
"Options:\n"
" -f, --force load policy even if abi does not match the kernel\n"
" -d, --debug display debug messages\n"
" -v, --verbose display progress and error messages\n"
" -n, --dry-run do everything except actual load\n"
" -h, --help this message\n",
command);
}
static const char *short_options = "c:dfvnh";
struct option long_options[] = {
{"config", 1, 0, 'c'},
{"debug", 0, 0, 'd'},
{"force", 0, 0, 'f'},
{"verbose", 0, 0, 'v'},
{"dry-run", 0, 0, 'n'},
{"help", 0, 0, 'h'},
{NULL, 0, 0, 0},
};
static int process_args(int argc, char **argv)
{
int c, o;
opterr = 1;
while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1) {
switch(c) {
case 0:
error("error in argument processing\n");
exit(1);
break;
case 'd':
opt_debug = true;
break;
case 'f':
opt_force = true;
break;
case 'v':
opt_verbose = true;
break;
case 'n':
opt_dryrun = true;
break;
case 'h':
print_usage(argv[0]);
exit(0);
break;
case 'c':
/* TODO: reserved config location,
* act as a bad arg for now, when added update usage
*/
//opt_config = true; uncomment when implemented
/* Fall through */
default:
error("unknown argument: '%s'\n\n", optarg);
print_usage(argv[1]);
exit(1);
break;
}
}
return optind;
}
int main(int argc, char **argv)
{
int i, rc = 0;
optind = process_args(argc, argv);
if (!opt_dryrun && have_enough_privilege(argv[0]))
return 1;
/* if no location use the default one */
if (optind == argc) {
if (!opt_config && load_config(DEFAULT_CONFIG_LOCATIONS) == 0) {
verbose("Loaded policy config");
}
if ((rc = load_arg(DEFAULT_POLICY_LOCATIONS)))
verbose("Loading policy from default location '%s'", DEFAULT_POLICY_LOCATIONS);
else
debug("No policy specified, and no policy config or policy in default locations");
}
for (i = optind; i < argc; i++) {
/* Try to load all policy locations even if one fails
* but always return an error if any fail
*/
int tmp = load_arg(argv[i]);
if (!rc)
rc = tmp;
}
return rc;
}

936
binutils/aa_status.c
View File

File diff suppressed because it is too large Load Diff

34
binutils/po/aa_load.pot
View File

@@ -1,34 +0,0 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR Canonical Ltd
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
"POT-Creation-Date: 2025-02-18 07:37-0800\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
#: ../aa_load.c:40
msgid "aa-load: WARN: "
msgstr ""
#: ../aa_load.c:41
msgid "aa-load: ERROR: "
msgstr ""
#: ../aa_load.c:51
msgid "\n"
msgstr ""
#: ../aa_load.c:52
msgid "aa-load: DEBUG: "
msgstr ""

67
binutils/po/be.po
View File

@@ -1,67 +0,0 @@
# Belarusian translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-05-05 21:55+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Belarusian <be@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-05-06 05:41+0000\n"
"X-Generator: Launchpad (build fbdff7602bd10fb883bf7e2ddcc7fd5a16f60398)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

71
binutils/po/ca.po
View File

@@ -1,71 +0,0 @@
# Catalan translation for apparmor
# Copyright (c) 2024 Rosetta Contributors and Canonical Ltd 2024
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2024.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2024-09-14 10:17+0000\n"
"Last-Translator: Walter Garcia-Fontes <walter.garcia@upf.edu>\n"
"Language-Team: Catalan <ca@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2024-09-15 07:16+0000\n"
"X-Generator: Launchpad (build 1b1ed1ad2dbfc71ee62b5c5491c975135a771bf0)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [opcions]\n"
" opcions:\n"
" -q | --quiet No imprimeixis cap missatge\n"
" -h | --help Imprimeix l'ajuda\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "opcions desconegudes o incompatibles\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "opció desconeguda «%s»\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Sí\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "No - no esta disponible a aquest sistema\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "No - desactivat a l'inici.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Potser - la interfície de política no està disponible.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Potser - permisos insuficient per determinar la disponibilitat.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Error - '%s'\n"

67
binutils/po/cs.po
View File

@@ -1,67 +0,0 @@
# Czech translation for apparmor
# Copyright (c) 2022 Rosetta Contributors and Canonical Ltd 2022
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2022.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2022-01-09 11:59+0000\n"
"Last-Translator: Marek Hladík <mhladik@seznam.cz>\n"
"Language-Team: Czech <cs@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2022-01-10 06:32+0000\n"
"X-Generator: Launchpad (build 1682fd44eec4f62371f0bed122a83482daf08e23)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "neznámé nebo nekompatibilní volby\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "neznámá volba '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Ano\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Ne - není v tomto systému k dispozici.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Ne - zakázáno při startu.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Možná - rozhraní zásad není k dispozici.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Možná - nedostatečná oprávnění k určení dostupnosti.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Chyba - '%s'\n"

67
binutils/po/en_AU.po
View File

@@ -1,67 +0,0 @@
# English (Australia) translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-11-28 04:45+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: English (Australia) <en_AU@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-11-29 06:26+0000\n"
"X-Generator: Launchpad (build 12d09381f8e8eee3115395875b132e165fa96574)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

67
binutils/po/en_CA.po
View File

@@ -1,67 +0,0 @@
# English (Canada) translation for apparmor
# Copyright (c) 2021 Rosetta Contributors and Canonical Ltd 2021
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2021.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2021-10-01 04:55+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: English (Canada) <en_CA@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2021-10-02 06:17+0000\n"
"X-Generator: Launchpad (build 1ce78163f6a09ed42b4201fe7d3f0e3a2eba7d02)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

71
binutils/po/et.po
View File

@@ -1,71 +0,0 @@
# Estonian translation for apparmor
# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2023-07-04 08:52+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Estonian <et@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2023-07-05 04:31+0000\n"
"X-Generator: Launchpad (build beda0e9dd2b131780db60fe479d4b43618b27243)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [valikud]\n"
" valikud:\n"
" -q | --quiet Ärge printige sõnumeid välja\n"
" -h | --help Prindi abiinfo\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "tundmatud või ühildumatud valikud\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "tundmatu valik '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Jah\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Ei pole selles süsteemis saadaval.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Ei käivitamisel keelatud.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Võib-olla poliisiliides pole saadaval.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Võib-olla - kättesaadavuse määramiseks pole piisavalt õigusi.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Viga '%s'\n"

67
binutils/po/gl.po
View File

@@ -1,67 +0,0 @@
# Galician translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-04-21 14:59+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Galician <gl@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-04-22 06:10+0000\n"
"X-Generator: Launchpad (build aad6b57d58e2f621954298e262c1cc904860f5d2)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

71
binutils/po/he.po
View File

@@ -1,71 +0,0 @@
# Hebrew translation for apparmor
# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2023-10-05 05:12+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Hebrew <he@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2023-10-06 08:32+0000\n"
"X-Generator: Launchpad (build bd6cfd0cfc024dbe1dcd7d5d91165fb4f6a6c596)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [אפשרויות]\n"
" אפשרויות:\n"
" -q | --quiet לא להציג הודעות\n"
" -h | --help הצגת עזרה\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "אפשרויות לא ידועות או לא נתמכות\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "האפשרות %s לא מוכרת\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "כן\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "לא - לא זמין במערכת הזאת.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "לא - מושבת בעלייה.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "אולי - מנשק המדיניות לא זמין.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "אולי - אין מספיק הרשאות לקבוע זמינות.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "שגיאה - %s\n"

67
binutils/po/hi.po
View File

@@ -1,67 +0,0 @@
# Hindi translation for apparmor
# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2023-01-09 07:39+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Hindi <hi@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2023-01-10 06:22+0000\n"
"X-Generator: Launchpad (build 87bfee1fd14ea3245297d63eeec1e4c8a1d203a8)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

71
binutils/po/hr.po
View File

@@ -1,71 +0,0 @@
# Croatian translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2021-10-03 10:17+0000\n"
"Last-Translator: gogo <trebelnik2@gmail.com>\n"
"Language-Team: Croatian <hr@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2021-10-04 06:23+0000\n"
"X-Generator: Launchpad (build 1ce78163f6a09ed42b4201fe7d3f0e3a2eba7d02)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [mogućnosti]\n"
" options:\n"
" -q | --quiet Ne prikazuj poruke\n"
" -h | --help Prikaži pomoć\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "nepoznata ili nepotpuna mogućnost\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "nepoznata mogućnost '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Da\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Ne - nedostupno na ovom sustavu.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Ne - onemogućeno pri pokretanju.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Možda - pravilo sučelja nedostupno.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Možda - nedovoljna dozvola za određivanje dostupnosti.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Greška - '%s'\n"

72
binutils/po/it.po
View File

@@ -1,72 +0,0 @@
# Italian translation for apparmor
# Copyright (c) 2022 Rosetta Contributors and Canonical Ltd 2022
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2022.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2022-06-30 17:54+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Italian <it@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2022-07-01 04:30+0000\n"
"X-Generator: Launchpad (build f48158886a49da429840bcd298f0c7ed60f9ad7b)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [opzioni]\n"
" opzioni:\n"
" -q | --quiet Non stampa nessun messaggio\n"
" -h | --help Stampa la guida\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "opzioni sconosciute o incompatibili\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "opzione sconosciuta '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Si\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "No - non disponibile su questo sistema.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "No - disabilitato all'avvio.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Forse - interfaccia dei criteri non disponibile.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
"Forse - autorizzazioni insufficienti per determinare la disponibilità.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Errore - '%s'\n"

72
binutils/po/ka.po
View File

@@ -1,72 +0,0 @@
# Georgian translation for apparmor
# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2023-06-26 15:06+0000\n"
"Last-Translator: NorwayFun <temuri.doghonadze@gmail.com>\n"
"Language-Team: Georgian <ka@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2023-06-27 04:31+0000\n"
"X-Generator: Launchpad (build aedf8597c50c1abc5fb7f9e871e686dfcb381fde)\n"
"Language: aa\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [პარამეტრები]\n"
" პარამეტრები:\n"
" -q | --quiet შეტყობინებები გამოტანილი არ იქნება\n"
" -h | --help დახმარების გამოტანა\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "უცნობი ან შეუთავსებელი პარამეტრები\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "უცნობი პარამეტრი \"%s\"-სთვის\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "დიახ\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "არა - მიუწვდომელია ამ სისტემაზე\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "არა - გამორთულია ჩატვირთვისას\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "შეიძლება - პოლიტიკის ინტერფეისი ხელმისაწვდომი არაა.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "შეიძლება - არასაკმარისი წვდომები ხელმისაწვდომობის დასადგენად.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "შეცდომა - \"%s\"\n"

67
binutils/po/kab.po
View File

@@ -1,67 +0,0 @@
# Kabyle translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-04-29 14:31+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Kabyle <kab@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-04-30 05:44+0000\n"
"X-Generator: Launchpad (build fbdff7602bd10fb883bf7e2ddcc7fd5a16f60398)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

73
binutils/po/my.po
View File

@@ -1,73 +0,0 @@
# Burmese translation for apparmor
# Copyright (c) 2022 Rosetta Contributors and Canonical Ltd 2022
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2022.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2022-06-26 11:50+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Burmese <my@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2022-06-27 04:30+0000\n"
"X-Generator: Launchpad (build 51a2e4fa2e9b8e45f00904ad7f53546f45ac48a5)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s- [options]\n"
" ရွေးချယ်စရာများ-\n"
" -q | --quiet မည်သည့်စာတိုကိုမှ ပရင့်မထုတ်ပါနှင့်။\n"
" -h | --help ပရင့်အကူအညီ\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "အမည်မသိ သို့မဟုတ် သဟဇာတမဖြစ်သော ရွေးချယ်စရာများ\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "အမည်မသိရွေးချယ်မှု '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "ဟုတ်\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "မဟုတ်ပါ - ဤစနစ်တွင် မရနိုင်ပါ။\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "မဟုတ်ပါ - boot တွင် ပိတ်ထားပါသည်။\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "ဖြစ်နိုင်ပါသည် - မူဝါဒ interface ကို မရနိုင်ပါ။\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
"ဖြစ်နိုင်ပါသည် - ရရှိနိုင်မှုကို ဆုံးဖြတ်ရန်အတွက် ခွင့်ပြုချက်များမှာ "
"လုံလောက်မှုမရှိပါ။\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "အမှား- '%s'\n"

67
binutils/po/oc.po
View File

@@ -1,67 +0,0 @@
# Occitan (post 1500) translation for apparmor
# Copyright (c) 2021 Rosetta Contributors and Canonical Ltd 2021
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2021.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2021-01-14 18:26+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Occitan (post 1500) <oc@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2021-01-15 07:59+0000\n"
"X-Generator: Launchpad (build 511b4a3b6512aa3d421c5f7d74f3527e78bff26e)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

71
binutils/po/pl.po
View File

@@ -1,71 +0,0 @@
# Polish translation for apparmor
# Copyright (c) 2021 Rosetta Contributors and Canonical Ltd 2021
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2021.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2021-07-22 20:10+0000\n"
"Last-Translator: Marek Adamski <Unknown>\n"
"Language-Team: Polish <pl@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2021-07-23 06:03+0000\n"
"X-Generator: Launchpad (build 7edebbcd0516593cf020aaa3c59299732a7c73cc)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [opcje]\n"
" opcje:\n"
" -q | --quiet Nie wyświetlaj żadnych komunikatów\n"
" -h | --help Wyświetl pomoc\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "nieznane lub niekompatybilne opcje\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "nieznana opcja '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Tak\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Nie - nie jest dostępne w tym systemie.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Nie - wyłączone podczas rozruchu.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Może - interfejs zasad nie jest dostępny.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Może - brak wystarczających uprawnień do określenia dostępności.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Błąd - '%s'\n"

71
binutils/po/pt_BR.po
View File

@@ -1,71 +0,0 @@
# Brazilian Portuguese translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-04-27 20:32+0000\n"
"Last-Translator: Rodrigo Farias <Unknown>\n"
"Language-Team: Brazilian Portuguese <pt_BR@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-04-28 05:52+0000\n"
"X-Generator: Launchpad (build d1105341713c5be348effe2a5142c4a210ce4cde)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [options]\n"
" opções:\n"
" -q | --quiet Não imprimir nenhum mensagem\n"
" -h | --help Assistente de impressão\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "opções incompatíveis ou desconhecidas\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "opção desconhecida '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Sim\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Não - não disponível neste sistema.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Não - desabilitado na inicialização.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Talvez - interface de política não disponível.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Talvez - permissões insuficientes para determinar disponibilidade.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Erro - '%s'\n"

36
binutils/po/ro.po
View File

@@ -1,26 +1,21 @@
# Romanian translation for apparmor, "apparmor-binutils" component.
# Mesajele în limba română pentru pachetul „apparmor”, componenta „apparmor-binutils”.
# Copyright © 2020 Rosetta Contributors and Canonical Ltd.
# Copyright © 2024 Canonical Ltd.
# Romanian translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
#
# Daniel Slavu <Unknown>, feb-2020.
# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, sep-2024.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor-binutils\n"
"Report-Msgid-Bugs-To: <apparmor@lists.ubuntu.com>\n"
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2024-09-23 22:45+0000\n"
"Last-Translator: Remus-Gabriel Chelu <Unknown>\n"
"Language-Team: Romanian <debian-l10n-romanian@lists.debian.org>\n"
"PO-Revision-Date: 2020-02-20 21:47+0000\n"
"Last-Translator: Daniel Slavu <Unknown>\n"
"Language-Team: Romanian <ro@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2024-09-25 04:33+0000\n"
"X-Generator: Launchpad (build 1b1ed1ad2dbfc71ee62b5c5491c975135a771bf0)\n"
"Language: ro\n"
"X-Launchpad-Export-Date: 2020-02-21 05:39+0000\n"
"X-Generator: Launchpad (build 19413b719a8df7423ab1390528edadce9e0e4aca)\n"
#: ../aa_enabled.c:26
#, c-format
@@ -32,8 +27,8 @@ msgid ""
msgstr ""
"%s: [opțiuni]\n"
" opțiuni:\n"
" -q | --quiet nu afișează niciun mesaj\n"
" -h | --help imprimă ajutorul\n"
" -q | --calm Nu imprima niciun mesaj\n"
" -h | - ajutor Imprimare ajutor\n"
#: ../aa_enabled.c:45
#, c-format
@@ -43,7 +38,7 @@ msgstr "opțiuni necunoscute sau incompatibile\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "opțiune necunoscută %s\n"
msgstr "opțiune necunoscută '%s'\n"
#: ../aa_enabled.c:64
#, c-format
@@ -63,8 +58,7 @@ msgstr "Nu - dezactivat la pornire.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
"Poate - interfața politică (de directive politice) nu este disponibilă.\n"
msgstr "Poate - interfața politică nu este disponibilă.\n"
#: ../aa_enabled.c:81
#, c-format
@@ -75,4 +69,4 @@ msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Eroare - %s\n"
msgstr "Eroare - '%s'\n"

67
binutils/po/sr.po
View File

@@ -1,67 +0,0 @@
# Serbian translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-11-23 18:06+0000\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: Serbian <sr@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-11-24 05:55+0000\n"
"X-Generator: Launchpad (build c35ff22711d15549e2303ae18ae521fd91f6bf00)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

71
binutils/po/uk.po
View File

@@ -1,71 +0,0 @@
# Ukrainian translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-05-19 21:48+0000\n"
"Last-Translator: Nazarii Ritter <nazariy.ritter@gmail.com>\n"
"Language-Team: Ukrainian <uk@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-05-20 05:42+0000\n"
"X-Generator: Launchpad (build 0385b538081bc4718df6fb844a3afc89729c94ce)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [опції]\n"
" опції:\n"
" -q | --quiet Не виводити жодних повідомлень\n"
" -h | --help Вивести довідку\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "невідомі або несумісні опції\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "невідомий параметр «%s»\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Так\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Ні недоступно на цій системі.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Ні вимкнено під час завантаження.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Можливо інтерфейс політики недоступний.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Можливо недостатньо дозволів для визначення наявності.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Помилка - '%s'\n"

71
binutils/po/zh_CN.po
View File

@@ -1,71 +0,0 @@
# Chinese (Simplified) translation for apparmor
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2020-05-14 09:16+0000\n"
"Last-Translator: 玉堂白鹤 <yjwork@qq.com>\n"
"Language-Team: Chinese (Simplified) <zh_CN@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2020-05-15 05:51+0000\n"
"X-Generator: Launchpad (build 0385b538081bc4718df6fb844a3afc89729c94ce)\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [选项]\n"
" 选项:\n"
" -q | --quiet 不要打印任何消息\n"
" -h | --help 打印帮助\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "未知或不兼容的选项\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "未知选项 '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "是\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "否 - 在此系统上不可用。\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "否 - 引导时被禁用。\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "也许 - 策略界面不可用\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "也许 - 没有足够的权限确定可用性。\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "错误 - '%s'\n"

4
changehat/pam_apparmor/README
View File

@@ -67,10 +67,10 @@ to syslog.
References
----------
Project webpage:
https://apparmor.net/
http://developer.novell.com/wiki/index.php/Novell_AppArmor
To provide feedback or ask questions please contact the
apparmor@lists.ubuntu.com mail list. This is the development list
apparmor-dev@forge.novell.com mail list. This is the development list
for the AppArmor team.
See also: change_hat(3), and the Linux-PAM online documentation at

11
changehat/tomcat_apparmor/tomcat_5_0/README.tomcat_apparmor
View File

@@ -188,9 +188,10 @@ parent context.
8. Feedback/Resources
-----------------
Project webpage:
https://apparmor.net/
To provide feedback or ask questions please contact the
apparmor-dev@forge.novell.com mail list. This is the development list for the
AppArmor team.
To provide feedback or ask questions please contact the
apparmor@lists.ubuntu.com mail list. This is the development list
for the AppArmor team.

11
changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor
View File

@@ -188,9 +188,10 @@ parent context.
8. Feedback/Resources
-----------------
Project webpage:
https://apparmor.net/
To provide feedback or ask questions please contact the
apparmor-dev@forge.novell.com mail list. This is the development list for the
AppArmor team.
To provide feedback or ask questions please contact the
apparmor@lists.ubuntu.com mail list. This is the development list
for the AppArmor team.

8
common/Make.rules
View File

@@ -35,14 +35,16 @@ VERSION=$(shell cat $(COMMONDIR)/Version)
pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
map = $(foreach a,$(2),$(call $(1),$(a)))
AWK?=$(or $(shell which awk),$(error awk utility required for build but not available))
AWK:=$(shell which awk)
ifndef AWK
$(error awk utility required for build but not available)
endif
define nl
endef
REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || $(AWK) '{ print $2 }' common/.stamp_rev
REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
ifndef PYTHON_VERSIONS
PYTHON_VERSIONS = $(call map, pathsearch, python3)

2
common/Version
View File

@@ -1 +1 @@
4.1.1
3.1.3

BIN
documentation/AppArmor_Developer_2-policy_layout_and_encoding.odt
View File

Binary file not shown.

11
libraries/libapparmor/configure.ac
View File

@@ -92,17 +92,6 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
AC_MSG_ERROR([C99 mode is required to build libapparmor])
fi
AC_PROG_CXX
m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
,)
AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
AC_SUBST([AM_CXXFLAGS], ["$EXTRA_CFLAGS"])
AC_OUTPUT(
Makefile
doc/Makefile

8
libraries/libapparmor/doc/aa_getcon.pod
View File

@@ -116,14 +116,6 @@ The specified I<file/task> does not exist or is not visible.
The confinement data is too large to fit in the supplied buffer.
=item B<ENOPROTOOPT>
The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
mainly when the kernel lacks 'fine grained unix mediation' support. It also
can happen on LSM stacking kernels where another LSM has claimed this
interface and decides to return this error, although this is really a
corner case.
=back
=head1 NOTES

5
libraries/libapparmor/doc/aa_stack_profile.pod
View File

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
aa_stack_profile("profile_a"), the equivalent of this shell command can be
used:
$ echo -n "stack profile_a" > /proc/self/attr/current
$ echo -n "stackprofile profile_a" > /proc/self/attr/current
To stack a profile named "profile_a" at the next exec, as performed with
aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
$ echo -n "stack profile_a" > /proc/self/attr/exec
$ echo -n "stackexec profile_a" > /proc/self/attr/exec
These raw AppArmor filesystem operations must only be used when using
libapparmor is not a viable option.
@@ -184,7 +184,6 @@ with apparmor_parser(8):
/etc/passwd r,
# Needed for aa_stack_profile()
change-profile -> &i_cant_be_trusted_anymore,
/usr/lib/libapparmor*.so* mr,
/proc/[0-9]*/attr/current w,
}

102
libraries/libapparmor/include/aalogparse.h
View File

@@ -19,10 +19,6 @@
#ifndef __LIBAALOGPARSE_H_
#define __LIBAALOGPARSE_H_
#ifdef __cplusplus
extern "C" {
#endif
#define AA_RECORD_EXEC_MMAP 1
#define AA_RECORD_READ 2
#define AA_RECORD_WRITE 4
@@ -30,10 +26,10 @@ extern "C" {
#define AA_RECORD_LINK 16
/**
* Enum representing which syntax version the log entry used.
* Support for V1 parsing was completely removed in 2011 and that enum entry
* is only still there for API compatibility reasons.
* This is just for convenience now that we have two
* wildly different grammars.
*/
typedef enum
{
AA_RECORD_SYNTAX_V1,
@@ -52,23 +48,70 @@ typedef enum
AA_RECORD_STATUS /* Configuration change */
} aa_record_event_type;
/*
* Use this preprocessor dance to maintain backcompat for field names
* This will break C code that used the C++ reserved keywords "namespace"
* and "class" as identifiers, but this is bad practice anyways, and we
* hope that we are the only ones in a given C file that messed up this way
/**
* With the sole exception of active_hat, this is a 1:1
* mapping from the keys that the new syntax uses.
*
* TODO: document this in a man page for aalogparse?
*/
#if defined(SWIG) && defined(__cplusplus)
#error "SWIG and __cplusplus are defined together"
#elif !defined(SWIG) && !defined(__cplusplus)
/* Use SWIG's %rename feature to preserve backcompat */
#define class rule_class
#define namespace aa_namespace
#endif
* Some examples of the old syntax and how they're mapped with the aa_log_record struct:
*
* "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
* - operation: access
* - requested_mask: r
* - pid: 12345
* - profile: /profile
* - name: /path
* - info: program_name
* - active_hat: hat
*
* "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
* - operation: mkdir
* - name: /path/to/something
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: xattr
* - attribute: set
* - name: /path/to/something
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: setattr
* - attribute: something
* - name: /else
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: capability
* - name: cap
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
* - operation: change_hat
* - name: TESTHAT
* - info: unknown_hat
* - pid: 27764
* - profile: /change_hat_test/test_hat
* - active_hat: /change_hat_test/test_hat
*
* "LOGPROF-HINT fork pid=27764 child=38229"
* - operation: clone
* - task: 38229
* - pid: 27764
**/
typedef struct aa_log_record
typedef struct
{
aa_record_syntax_version version;
aa_record_event_type event; /* Event type */
@@ -91,7 +134,7 @@ typedef struct aa_log_record
char *comm; /* Command that triggered msg */
char *name;
char *name2;
char *aa_namespace;
char *namespace;
char *attribute;
unsigned long parent;
char *info;
@@ -105,7 +148,6 @@ typedef struct aa_log_record
unsigned long net_local_port;
char *net_foreign_addr;
unsigned long net_foreign_port;
char *dbus_bus;
char *dbus_path;
char *dbus_interface;
@@ -118,11 +160,7 @@ typedef struct aa_log_record
char *flags;
char *src_name;
char *rule_class;
char *net_addr;
char *peer_addr;
char *execpath;
char *class;
} aa_log_record;
/**
@@ -133,7 +171,7 @@ typedef struct aa_log_record
* @return Parsed data.
*/
aa_log_record *
parse_record(const char *str);
parse_record(char *str);
/**
* Frees all struct data.
@@ -142,9 +180,5 @@ parse_record(const char *str);
void
free_record(aa_log_record *record);
#ifdef __cplusplus
}
#endif
#endif

8
libraries/libapparmor/include/sys/apparmor.h
View File

@@ -105,8 +105,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
#define AA_QUERY_CMD_LABEL "label"
#define AA_QUERY_CMD_LABEL_SIZE sizeof(AA_QUERY_CMD_LABEL)
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
int *audited);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
extern int aa_query_file_path_len(uint32_t mask, const char *label,
size_t label_len, const char *path,
size_t path_len, int *allowed, int *audited);
@@ -157,8 +157,6 @@ extern int aa_features_write_to_file(aa_features *features,
int dirfd, const char *path);
extern bool aa_features_is_equal(aa_features *features1,
aa_features *features2);
extern int aa_features_check(int dirfd, const char *path,
aa_features *features);
extern bool aa_features_supports(aa_features *features, const char *str);
extern char *aa_features_id(aa_features *features);
extern char *aa_features_value(aa_features *features, const char *str, size_t *len);
@@ -211,8 +209,6 @@ extern char *aa_policy_cache_filename(aa_policy_cache *policy_cache, const char
extern char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,
int dirfd, const char *path);
extern int aa_split_overlay_str(char *str, char ***vec, size_t max_size, bool immutable);
#ifdef __cplusplus
}
#endif

25
libraries/libapparmor/src/Makefile.am
View File

@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
#
# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
AA_LIB_CURRENT = 25
AA_LIB_CURRENT = 13
AA_LIB_REVISION = 2
AA_LIB_AGE = 24
EXPECTED_SO_NAME = libapparmor.so.1.24.2
AA_LIB_AGE = 12
EXPECTED_SO_NAME = libapparmor.so.1.12.2
SUFFIXES = .pc.in .pc
@@ -44,7 +44,8 @@ include $(COMMONDIR)/Make.rules
BUILT_SOURCES = grammar.h scanner.h af_protos.h
AM_LFLAGS = -v
AM_YFLAGS = -Wno-yacc -d -p aalogparse_
AM_YFLAGS = -d -p aalogparse_
AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none
AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
scanner.h: scanner.l
$(LEX) -v $<
@@ -52,13 +53,13 @@ scanner.h: scanner.l
scanner.c: scanner.l
af_protos.h:
echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
lib_LTLIBRARIES = libapparmor.la
noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c PMurHash.c
libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -Bdynamic -pthread \
libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
pkgconfigdir = $(libdir)/pkgconfig
@@ -73,16 +74,6 @@ CLEANFILES = libapparmor.pc
tst_aalogmisc_SOURCES = tst_aalogmisc.c
tst_aalogmisc_LDADD = .libs/libapparmor.a
tst_aalogparse_cpp_SOURCES = tst_aalogparse_cpp.cpp
tst_aalogparse_cpp_LDADD = .libs/libapparmor.a
tst_aalogparse_oldname_SOURCES = tst_aalogparse_oldname.c
tst_aalogparse_oldname_LDADD = .libs/libapparmor.a
tst_aalogparse_reentrancy_SOURCES = tst_aalogparse_reentrancy.c
tst_aalogparse_reentrancy_LDADD = .libs/libapparmor.a
tst_aalogparse_reentrancy_LDFLAGS = -pthread
tst_features_SOURCES = tst_features.c
tst_features_LDADD = .libs/libapparmor.a
@@ -90,7 +81,7 @@ tst_kernel_SOURCES = tst_kernel.c
tst_kernel_LDADD = .libs/libapparmor.a
tst_kernel_LDFLAGS = -pthread
check_PROGRAMS = tst_aalogmisc tst_aalogparse_cpp tst_aalogparse_reentrancy tst_aalogparse_oldname tst_features tst_kernel
check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
TESTS = $(check_PROGRAMS)
.PHONY: check-local

43
libraries/libapparmor/src/features.c
View File

@@ -35,7 +35,6 @@
#include "PMurHash.h"
#define FEATURES_FILE "/sys/kernel/security/apparmor/features"
#define CACHE_FEATURES_FILE ".features"
#define HASH_SIZE (8 + 1) /* 32 bits binary to hex + NUL terminator */
#define STRING_SIZE 8192
@@ -399,10 +398,6 @@ static bool walk_one(const char **str, const struct component *component,
i = 0;
cur++;
/* Partial match, continue to search */
if (i == component->len && !isbrace_space_or_nul(*cur))
i = 0;
}
/* Return false if a full match was not found */
@@ -663,44 +658,6 @@ bool aa_features_is_equal(aa_features *features1, aa_features *features2)
strcmp(features1->string, features2->string) == 0;
}
/**
* aa_features_check - check if features from a directory matches an aa_features object
* @dirfd: a directory file descriptory or AT_FDCWD (see openat(2))
* @path: the path containing the features
* @features: features to be matched against
*
* Returns: 0 on success, -1 on failure. errno is set to EEXIST when there's not a match
*/
int aa_features_check(int dirfd, const char *path,
aa_features *features)
{
aa_features *local_features = NULL;
autofree char *name = NULL;
bool rc;
int len;
len = asprintf(&name, "%s/%s", path, CACHE_FEATURES_FILE);
if (len == -1) {
errno = ENOMEM;
return -1;
}
/* verify that path dir .features matches */
if (aa_features_new(&local_features, dirfd, name)) {
PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);
return -1;
}
rc = aa_features_is_equal(local_features, features);
aa_features_unref(local_features);
if (!rc) {
errno = EEXIST;
return -1;
}
return 0;
}
static const char *features_lookup(aa_features *features, const char *str)
{
const char *features_string = features->string;

77
libraries/libapparmor/src/grammar.y
View File

@@ -15,15 +15,17 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* aalogparse_error now requires visibility of the aa_log_record type
* Also include in a %code requires block to add it to the header
*/
%code requires{
#include <aalogparse.h>
}
%{
/* set the following to non-zero to get bison to emit debugging
* information about tokens given and rules matched.
* Also:
* Uncomment the %defines
* parse.error
* parse.trace
*/
#define YYDEBUG 0
#include <string.h>
#include <aalogparse.h>
#include "parser.h"
@@ -39,10 +41,12 @@
#define debug_unused_ unused_
#endif
aa_log_record *ret_record;
/* Since we're a library, on any errors we don't want to print out any
* error messages. We should probably add a debug interface that does
* emit messages when asked for. */
void aalogparse_error(unused_ void *scanner, aa_log_record *ret_record, debug_unused_ char const *s)
void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
{
#if (YYDEBUG != 0)
printf("ERROR: %s\n", s);
@@ -85,10 +89,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%define parse.trace
*/
%define api.pure full
%define api.pure
%lex-param{void *scanner}
%parse-param{void *scanner}
%parse-param{aa_log_record *ret_record}
%union
{
@@ -111,7 +114,6 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_PERIOD
%token TOK_QUESTION_MARK
%token TOK_SINGLE_QUOTE
%token TOK_NONE
%token TOK_TYPE_REJECT
%token TOK_TYPE_AUDIT
@@ -185,8 +187,6 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_FSTYPE
%token TOK_KEY_FLAGS
%token TOK_KEY_SRCNAME
%token TOK_KEY_UNIX_PEER_ADDR
%token TOK_KEY_EXECPATH
%token TOK_KEY_CLASS
%token TOK_SOCKLOGD_KERNEL
@@ -249,7 +249,7 @@ syslog_type:
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
/* needs update: hard newline in handling multiline log messages */
/* needs update: hard newline in handling mutiline log messages */
| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
@@ -281,9 +281,8 @@ audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
{
if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7)) {
yyerror(scanner, ret_record, YY_("Out of memory"));
}
if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
yyerror(scanner, YY_("Out of memory"));
ret_record->epoch = atol($3);
ret_record->audit_sub_id = atoi($7);
free($3);
@@ -306,7 +305,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_NAME TOK_EQUALS safe_string
{ ret_record->name = $3;}
| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
{ ret_record->aa_namespace = $3;}
{ ret_record->namespace = $3;}
| TOK_KEY_NAME2 TOK_EQUALS safe_string
{ ret_record->name2 = $3;}
| TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
@@ -355,13 +354,6 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->fsuid = $3;}
| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
{ ret_record->ouid = $3;}
| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
| TOK_KEY_ADDR TOK_EQUALS TOK_NONE
| TOK_KEY_ADDR TOK_EQUALS safe_string
{ ret_record->net_addr = $3; }
| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS TOK_NONE
| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS safe_string
{ ret_record->peer_addr = $3; }
| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
{ free($3);} /* Ignore - fsuid username */
| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
@@ -371,7 +363,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
{ free($3); /* Ignore - hostname from user AVC messages */ }
| TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
| TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
| TOK_KEY_ADDR TOK_EQUALS safe_string
{ free($3); /* Ignore - IP address from user AVC messages */ }
| TOK_KEY_TERMINAL TOK_EQUALS safe_string
{ free($3); /* Ignore - TTY from user AVC messages */ }
| TOK_KEY_EXE TOK_EQUALS safe_string
@@ -424,21 +419,21 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->dbus_member = $3; }
| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
{ ret_record->signal = $3; }
| TOK_KEY_FSTYPE TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->fs_type = $3; }
| TOK_KEY_FLAGS TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->flags = $3; }
| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->src_name = $3; }
| TOK_KEY_EXECPATH TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->execpath = $3; }
| TOK_MSG_REST
{
ret_record->event = AA_RECORD_INVALID;
ret_record->info = $1;
}
| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->rule_class = $3; }
{ ret_record->class = $3; }
;
apparmor_event:
@@ -475,3 +470,31 @@ protocol: TOK_QUOTED_STRING
}
;
%%
aa_log_record *
_parse_yacc(char *str)
{
/* yydebug = 1; */
YY_BUFFER_STATE lex_buf;
yyscan_t scanner;
ret_record = NULL;
ret_record = malloc(sizeof(aa_log_record));
_init_log_record(ret_record);
if (ret_record == NULL)
return NULL;
#if (YYDEBUG != 0)
yydebug = 1;
#endif
aalogparse_lex_init(&scanner);
lex_buf = aalogparse__scan_string(str, scanner);
/* Ignore return value to return an AA_RECORD_INVALID event */
(void)aalogparse_parse(scanner);
aalogparse__delete_buffer(lex_buf, scanner);
aalogparse_lex_destroy(scanner);
return ret_record;
}

131
libraries/libapparmor/src/kernel.c
View File

@@ -463,7 +463,7 @@ static char *procattr_path(pid_t pid, const char *attr)
static int procattr_open(pid_t tid, const char *attr, int flags)
{
autofree char *tmp = NULL;
char *tmp;
int fd;
tmp = procattr_path(tid, attr);
@@ -471,7 +471,7 @@ static int procattr_open(pid_t tid, const char *attr, int flags)
return -1;
}
fd = open(tmp, flags);
free(tmp);
/* Test is we can fallback to the old interface (this is ugly).
* If we haven't tried the old interface already
* proc_attr_base == proc_attr_base_old - no fallback
@@ -483,14 +483,11 @@ static int procattr_open(pid_t tid, const char *attr, int flags)
* old interface where is_enabled() is only successful if
* the old interface is available to apparmor.
*/
if (fd == -1 && param_check_enabled() != 0 && strncmp(tmp, proc_attr_base_old, strlen(proc_attr_base_old)) != 0) {
free(tmp);
if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0) {
/* tmp is undefined, make sure it is null for autofree*/
tmp = NULL;
if (fd == -1 && tmp != proc_attr_base_old && param_check_enabled() != 0) {
if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0)
return -1;
}
fd = open(tmp, flags);
free(tmp);
}
return fd;
@@ -1358,121 +1355,3 @@ int aa_query_link_path(const char *label, const char *target, const char *link,
strlen(target), link, strlen(link),
allowed, audited);
}
static int alloc_substring(char ***v, char *s, char *p,
size_t max_size, size_t n, bool immutable)
{
if (max_size) {
if (n >= max_size) {
errno = E2BIG;
return -1;
}
} else {
char ** tmpv;
tmpv = (char **) realloc(*v, (n + 1) * sizeof(char *));
if (tmpv == NULL) {
errno = ENOMEM;
return -1;
}
*v = tmpv;
}
if (immutable) {
char *tmp;
tmp = (char *) malloc(p - s + 1);
if (tmp == NULL) {
errno = ENOMEM;
return -1;
}
memcpy(tmp, s, p - s);
tmp[p - s] = 0;
(*v)[n] = tmp;
} else {
(*v)[n] = s;
if (*p)
*p = 0;
}
return 0;
}
/**
* aa_split_overlay_str - split a string into potentially multiple strings
* @str: the string to split
* @vec: vector to put string pointers into, IF null will be allocated
* @max_size: maximum number of ents to put in @vec, IF 0 dynamic
* @immutable: true if @str should not be modified.
*
* Returns: the number of entries in vec on success. -1 on error and errno set.
*
* Split a comma or colon separated string into substrings.
*
* IF @vec == NULL
* the vec will be dynamically allocated
* ELSE
* passed in @vec will be used, and NOT updated/extended
*
* IF @max_size == 0 && @vec == NULL
* @vec will be dynamically resized
* ELSE
* @vec will be fixed at @max_size
*
* IF @immutable is true
* the substrings placed in @vec will be allocated copies.
* ELSE
* @str will be updated in place and @vec[x] will point into @str
*/
int aa_split_overlay_str(char *str, char ***vec, size_t max_size, bool immutable)
{
char *s = str;
char *p = str;
int rc, n = 0;
char **v = *vec;
if (!*vec) {
if (max_size) {
v = (char **) malloc(max_size * sizeof(char *));
if (v == NULL) {
rc = ENOMEM;
goto err;
}
}
}
while (*p) {
if (*p == '\\') {
if (*(p + 1) != 0)
p++;
} else if (*p == ',' || *p == ':') {
if (p != s) {
if (alloc_substring(&v, s, p, max_size, n, immutable) == -1) {
rc = errno;
goto err;
}
n++;
}
p++;
s = p;
} else
p++;
}
if (p != s) {
if (alloc_substring(&v, s, p, max_size, n, immutable) == -1) {
rc = errno;
goto err;
}
n++;
}
*vec = v;
return n;
err:
if (immutable) {
for (int i = 0; i < n; i++) {
free(v[i]);
}
}
if (!*vec)
free(v);
errno = rc;
return -1;
}

48
libraries/libapparmor/src/libaalogparse.c
View File

@@ -34,42 +34,13 @@
#include <aalogparse.h>
#include "parser.h"
#include "grammar.h"
#include "scanner.h"
/* This is mostly just a wrapper around the code in grammar.y */
aa_log_record *parse_record(const char *str)
aa_log_record *parse_record(char *str)
{
YY_BUFFER_STATE lex_buf;
yyscan_t scanner;
aa_log_record *ret_record;
if (str == NULL)
return NULL;
ret_record = malloc(sizeof(aa_log_record));
_init_log_record(ret_record);
if (ret_record == NULL)
return NULL;
struct string_buf string_buf = {.buf = NULL, .buf_len = 0, .buf_alloc = 0};
#if (YYDEBUG != 0)
/* Warning: this is still a global even in reentrant parsers */
aalogparse_debug = 1;
#endif
aalogparse_lex_init_extra(&string_buf, &scanner);
lex_buf = aalogparse__scan_string(str, scanner);
/* Ignore return value to return an AA_RECORD_INVALID event */
(void)aalogparse_parse(scanner, ret_record);
aalogparse__delete_buffer(lex_buf, scanner);
aalogparse_lex_destroy(scanner);
/* free(NULL) is a no-op */
free(string_buf.buf);
return ret_record;
return _parse_yacc(str);
}
void free_record(aa_log_record *record)
@@ -92,8 +63,8 @@ void free_record(aa_log_record *record)
free(record->name);
if (record->name2 != NULL)
free(record->name2);
if (record->aa_namespace != NULL)
free(record->aa_namespace);
if (record->namespace != NULL)
free(record->namespace);
if (record->attribute != NULL)
free(record->attribute);
if (record->info != NULL)
@@ -132,15 +103,8 @@ void free_record(aa_log_record *record)
free(record->flags);
if (record->src_name != NULL)
free(record->src_name);
if (record->net_addr != NULL)
free(record->net_addr);
if (record->peer_addr != NULL)
free(record->peer_addr);
if (record->execpath != NULL)
free(record->execpath);
if (record->rule_class != NULL)
free(record->rule_class);
if (record->class != NULL)
free(record->class);
free(record);
}

8
libraries/libapparmor/src/libapparmor.map
View File

@@ -124,14 +124,6 @@ APPARMOR_3.0 {
*;
} APPARMOR_2.13.1;
APPARMOR_3.1 {
global:
aa_features_check;
aa_split_overlay_str;
local:
*;
} APPARMOR_3.0;
PRIVATE {
global:
_aa_is_blacklisted;

8
libraries/libapparmor/src/parser.h
View File

@@ -19,14 +19,8 @@
#ifndef __AA_LOG_PARSER_H__
#define __AA_LOG_PARSER_H__
// Internal-only type
struct string_buf {
char *buf;
unsigned int buf_len;
unsigned int buf_alloc;
};
extern void _init_log_record(aa_log_record *record);
extern aa_log_record *_parse_yacc(char *str);
extern char *hex_to_string(char *str);
extern char *ipproto_to_string(unsigned int proto);

42
libraries/libapparmor/src/policy_cache.c
View File

@@ -147,6 +147,36 @@ repeat:
return path;
}
static int cache_check_features(int dirfd, const char *cache_name,
aa_features *features)
{
aa_features *local_features = NULL;
autofree char *name = NULL;
bool rc;
int len;
len = asprintf(&name, "%s/%s", cache_name, CACHE_FEATURES_FILE);
if (len == -1) {
errno = ENOMEM;
return -1;
}
/* verify that cache dir .features matches */
if (aa_features_new(&local_features, dirfd, name)) {
PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);
return -1;
}
rc = aa_features_is_equal(local_features, features);
aa_features_unref(local_features);
if (!rc) {
errno = EEXIST;
return -1;
}
return 0;
}
static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
{
if (aa_policy_cache_remove(policy_cache->dirfd[0], "."))
@@ -164,8 +194,8 @@ static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
static int init_cache_features(aa_policy_cache *policy_cache,
aa_features *kernel_features, bool create)
{
if (aa_features_check(policy_cache->dirfd[0], ".",
kernel_features)) {
if (cache_check_features(policy_cache->dirfd[0], ".",
kernel_features)) {
/* EEXIST must come before ENOENT for short circuit eval */
if (!create || errno == EEXIST || errno != ENOENT)
return -1;
@@ -201,13 +231,13 @@ static int cache_miss_cb(int dirfd, const struct dirent *ent, void *arg)
errno = ENOMEM;
return -1;
}
if (!aa_features_check(dirfd, cache_name, data->features) || errno == ENOENT) {
if (!cache_check_features(dirfd, cache_name, data->features) || errno == ENOENT) {
/* found cache dir matching pattern */
data->cache_name = cache_name;
/* return 1 to stop iteration and signal dir found */
return 1;
} else if (errno != EEXIST) {
PDEBUG("aa_features_check() failed for dirfd '%d' '%s'\n", dirfd, cache_name);
PDEBUG("cache_check_features() failed for dirfd '%d' '%s'\n", dirfd, cache_name);
free(cache_name);
return -1;
}
@@ -243,12 +273,12 @@ static int cache_dir_from_path_and_features(char **cache_path,
if (len == -1)
return -1;
if (!aa_features_check(dirfd, cache_dir, features) || errno == ENOENT) {
if (!cache_check_features(dirfd, cache_dir, features) || errno == ENOENT) {
PDEBUG("cache_dir_from_path_and_features() found '%s'\n", cache_dir);
*cache_path = cache_dir;
return 0;
} else if (errno != EEXIST) {
PDEBUG("aa_features_check() failed for dirfd '%d' %s\n", dirfd, cache_dir);
PDEBUG("cache_check_features() failed for dirfd '%d' %s\n", dirfd, cache_dir);
free(cache_dir);
return -1;
}

71
libraries/libapparmor/src/scanner.l
View File

@@ -19,7 +19,6 @@
%option nounput
%option noyy_top_state
%option reentrant
%option extra-type="struct string_buf*"
%option prefix="aalogparse_"
%option bison-bridge
%option header-file="scanner.h"
@@ -35,37 +34,40 @@
#define YY_NO_INPUT
void string_buf_reset(struct string_buf* char_buf)
unsigned int string_buf_alloc = 0;
unsigned int string_buf_len = 0;
char *string_buf = NULL;
void string_buf_reset()
{
/* rewind buffer to zero, possibly doing initial allocation too */
char_buf->buf_len = 0;
if (char_buf->buf == NULL) {
char_buf->buf_alloc = 128;
char_buf->buf = malloc(char_buf->buf_alloc);
assert(char_buf->buf != NULL);
string_buf_len = 0;
if (string_buf == NULL) {
string_buf_alloc = 128;
string_buf = malloc(string_buf_alloc);
assert(string_buf != NULL);
}
/* always start with a valid but empty string */
char_buf->buf[0] = '\0';
string_buf[0] = '\0';
}
void string_buf_append(struct string_buf* char_buf, unsigned int length, char *text)
void string_buf_append(unsigned int length, char *text)
{
unsigned int current_length = char_buf->buf_len;
unsigned int current_length = string_buf_len;
/* handle calling ..._append before ..._reset */
if (char_buf->buf == NULL) string_buf_reset(char_buf);
if (string_buf == NULL) string_buf_reset();
char_buf->buf_len += length;
string_buf_len += length;
/* expand allocation if this append would exceed the allocation */
while (char_buf->buf_len >= char_buf->buf_alloc) {
// TODO: overflow?
char_buf->buf_alloc *= 2;
char_buf->buf = realloc(char_buf->buf, char_buf->buf_alloc);
assert(char_buf->buf != NULL);
while (string_buf_len >= string_buf_alloc) {
string_buf_alloc *= 2;
string_buf = realloc(string_buf, string_buf_alloc);
assert(string_buf != NULL);
}
/* copy and unconditionally terminate */
memcpy(char_buf->buf+current_length, text, length);
char_buf->buf[char_buf->buf_len] = '\0';
memcpy(string_buf+current_length, text, length);
string_buf[string_buf_len] = '\0';
}
%}
@@ -88,7 +90,6 @@ question_mark "?"
single_quote "'"
mode_chars ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
none "none"
/* New message types */
aa_reject_type "APPARMOR_DENIED"
@@ -156,13 +157,9 @@ key_capname "capname"
key_offset "offset"
key_target "target"
key_laddr "laddr"
key_saddr "saddr"
key_faddr "faddr"
key_daddr "daddr"
key_lport "lport"
key_srcport "src"
key_fport "fport"
key_destport "dest"
key_bus "bus"
key_dest "dest"
key_path "path"
@@ -175,9 +172,6 @@ key_fstype "fstype"
key_flags "flags"
key_srcname "srcname"
key_class "class"
key_tcontext "tcontext"
key_unix_peer_addr "peer_addr"
key_execpath "execpath"
audit "audit"
/* network addrs */
@@ -230,7 +224,7 @@ yy_flex_debug = 0;
{open_paren} { return(TOK_OPEN_PAREN); }
{close_paren} { BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
{ws} { }
\" { string_buf_reset(yyextra); BEGIN(quoted_string); }
\" { string_buf_reset(); BEGIN(quoted_string); }
{ID}+ {
yylval->t_str = strdup(yytext);
BEGIN(INITIAL);
@@ -239,20 +233,20 @@ yy_flex_debug = 0;
{equals} { return(TOK_EQUALS); }
}
\" { string_buf_reset(yyextra); BEGIN(quoted_string); }
\" { string_buf_reset(); BEGIN(quoted_string); }
<quoted_string>\" { /* End of the quoted string */
BEGIN(INITIAL);
yylval->t_str = strdup(yyextra->buf);
yylval->t_str = strdup(string_buf);
return(TOK_QUOTED_STRING);
}
<quoted_string>\\(.|\n) { string_buf_append(yyextra, 1, &yytext[1]); }
<quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
<quoted_string>[^\\\n\"]+ { string_buf_append(yyextra, yyleng, yytext); }
<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
<safe_string>{
\" { string_buf_reset(yyextra); BEGIN(quoted_string); }
\" { string_buf_reset(); BEGIN(quoted_string); }
{hexstring} { yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
{equals} { return(TOK_EQUALS); }
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
@@ -308,8 +302,6 @@ yy_flex_debug = 0;
{period} { return(TOK_PERIOD); }
{question_mark} { return(TOK_QUESTION_MARK); }
{single_quote} { return(TOK_SINGLE_QUOTE); }
{none} { return(TOK_NONE); }
{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
@@ -335,7 +327,6 @@ yy_flex_debug = 0;
{key_peer_profile} { BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
{key_label} { BEGIN(safe_string); return(TOK_KEY_LABEL); }
{key_peer_label} { BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
{key_tcontext} { BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
{key_family} { return(TOK_KEY_FAMILY); }
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
{key_protocol} { return(TOK_KEY_PROTOCOL); }
@@ -349,7 +340,7 @@ yy_flex_debug = 0;
{key_sauid} { return(TOK_KEY_SAUID); }
{key_ses} { return(TOK_KEY_SES); }
{key_hostname} { return(TOK_KEY_HOSTNAME); }
{key_addr} { BEGIN(safe_string); return(TOK_KEY_ADDR); }
{key_addr} { return(TOK_KEY_ADDR); }
{key_terminal} { return(TOK_KEY_TERMINAL); }
{key_exe} { BEGIN(safe_string); return(TOK_KEY_EXE); }
{key_comm} { BEGIN(safe_string); return(TOK_KEY_COMM); }
@@ -358,13 +349,9 @@ yy_flex_debug = 0;
{key_offset} { return(TOK_KEY_OFFSET); }
{key_target} { return(TOK_KEY_TARGET); }
{key_laddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
{key_saddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
{key_daddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
{key_lport} { return(TOK_KEY_LPORT); }
{key_srcport} { return(TOK_KEY_LPORT); }
{key_fport} { return(TOK_KEY_FPORT); }
{key_destport} { return(TOK_KEY_FPORT); }
{key_bus} { return(TOK_KEY_BUS); }
{key_path} { return(TOK_KEY_PATH); }
{key_interface} { return(TOK_KEY_INTERFACE); }
@@ -375,8 +362,6 @@ yy_flex_debug = 0;
{key_fstype} { return(TOK_KEY_FSTYPE); }
{key_flags} { BEGIN(safe_string); return(TOK_KEY_FLAGS); }
{key_srcname} { BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
{key_unix_peer_addr} { BEGIN(safe_string); return(TOK_KEY_UNIX_PEER_ADDR); }
{key_execpath} { BEGIN(safe_string); return(TOK_KEY_EXECPATH); }
{key_class} { BEGIN(safe_string); return(TOK_KEY_CLASS); }
{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }

20
libraries/libapparmor/src/tst_aalogparse_cpp.cpp
View File

@@ -1,20 +0,0 @@
#include <aalogparse.h>
#include <string.h>
#include "private.h"
const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
int main(void) {
int rc = 0;
/* Very basic test to ensure we can do aalogparse stuff in C++ */
aa_log_record *record = parse_record(log_line);
MY_TEST(record != NULL, "Log failed to parse");
MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
MY_TEST(record->aa_namespace == NULL, "Log should have NULL namespace");
MY_TEST((record->rule_class != NULL) && (strcmp(record->rule_class, "file") == 0), "Log should have file class");
free_record(record);
return rc;
}

20
libraries/libapparmor/src/tst_aalogparse_oldname.c
View File

@@ -1,20 +0,0 @@
#include <aalogparse.h>
#include <string.h>
#include "private.h"
const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
int main(void) {
int rc = 0;
/* Very basic test to ensure we can use the C++-incompatible field names */
aa_log_record *record = parse_record(log_line);
MY_TEST(record != NULL, "Log failed to parse");
MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
MY_TEST(record->namespace == NULL, "Log should have NULL namespace");
MY_TEST((record->class != NULL) && (strcmp(record->class, "file") == 0), "Log should have file class");
free_record(record);
return rc;
}

154
libraries/libapparmor/src/tst_aalogparse_reentrancy.c
View File

@@ -1,154 +0,0 @@
#include <pthread.h>
#include <string.h>
#include <aalogparse.h>
#include "private.h"
const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
const char* log_line_2 = "[ 4074.372559] audit: type=1400 audit(1725553393.143:793): apparmor=\"DENIED\" operation=\"capable\" class=\"cap\" profile=\"/usr/lib/snapd/snap-confine\" pid=19034 comm=\"snap-confine\" capability=12 capname=\"net_admin\"";
static int pthread_barrier_ok(int barrier_result) {
return barrier_result == 0 || barrier_result == PTHREAD_BARRIER_SERIAL_THREAD;
}
static int nullcmp_and_strcmp(const void *s1, const void *s2)
{
/* Return 0 if both pointers are NULL & non-zero if only one is NULL */
if (!s1 || !s2)
return s1 != s2;
return strcmp(s1, s2);
}
int aa_log_record_eq(aa_log_record *record1, aa_log_record *record2) {
int are_eq = 1;
are_eq &= (record1->version == record2->version);
are_eq &= (record1->event == record2->event);
are_eq &= (record1->pid == record2->pid);
are_eq &= (record1->peer_pid == record2->peer_pid);
are_eq &= (record1->task == record2->task);
are_eq &= (record1->magic_token == record2->magic_token);
are_eq &= (record1->epoch == record2->epoch);
are_eq &= (record1->audit_sub_id == record2->audit_sub_id);
are_eq &= (record1->bitmask == record2->bitmask);
are_eq &= (nullcmp_and_strcmp(record1->audit_id, record2->audit_id) == 0);
are_eq &= (nullcmp_and_strcmp(record1->operation, record2->operation) == 0);
are_eq &= (nullcmp_and_strcmp(record1->denied_mask, record2->denied_mask) == 0);
are_eq &= (nullcmp_and_strcmp(record1->requested_mask, record2->requested_mask) == 0);
are_eq &= (record1->fsuid == record2->fsuid);
are_eq &= (record1->ouid == record2->ouid);
are_eq &= (nullcmp_and_strcmp(record1->profile, record2->profile) == 0);
are_eq &= (nullcmp_and_strcmp(record1->peer_profile, record2->peer_profile) == 0);
are_eq &= (nullcmp_and_strcmp(record1->comm, record2->comm) == 0);
are_eq &= (nullcmp_and_strcmp(record1->name, record2->name) == 0);
are_eq &= (nullcmp_and_strcmp(record1->name2, record2->name2) == 0);
are_eq &= (nullcmp_and_strcmp(record1->namespace, record2->namespace) == 0);
are_eq &= (nullcmp_and_strcmp(record1->attribute, record2->attribute) == 0);
are_eq &= (record1->parent == record2->parent);
are_eq &= (nullcmp_and_strcmp(record1->info, record2->info) == 0);
are_eq &= (nullcmp_and_strcmp(record1->peer_info, record2->peer_info) == 0);
are_eq &= (record1->error_code == record2->error_code);
are_eq &= (nullcmp_and_strcmp(record1->active_hat, record2->active_hat) == 0);
are_eq &= (nullcmp_and_strcmp(record1->net_family, record2->net_family) == 0);
are_eq &= (nullcmp_and_strcmp(record1->net_protocol, record2->net_protocol) == 0);
are_eq &= (nullcmp_and_strcmp(record1->net_sock_type, record2->net_sock_type) == 0);
are_eq &= (nullcmp_and_strcmp(record1->net_local_addr, record2->net_local_addr) == 0);
are_eq &= (record1->net_local_port == record2->net_local_port);
are_eq &= (nullcmp_and_strcmp(record1->net_foreign_addr, record2->net_foreign_addr) == 0);
are_eq &= (record1->net_foreign_port == record2->net_foreign_port);
are_eq &= (nullcmp_and_strcmp(record1->execpath, record2->execpath) == 0);
are_eq &= (nullcmp_and_strcmp(record1->dbus_bus, record2->dbus_bus) == 0);
are_eq &= (nullcmp_and_strcmp(record1->dbus_path, record2->dbus_path) == 0);
are_eq &= (nullcmp_and_strcmp(record1->dbus_interface, record2->dbus_interface) == 0);
are_eq &= (nullcmp_and_strcmp(record1->dbus_member, record2->dbus_member) == 0);
are_eq &= (nullcmp_and_strcmp(record1->signal, record2->signal) == 0);
are_eq &= (nullcmp_and_strcmp(record1->peer, record2->peer) == 0);
are_eq &= (nullcmp_and_strcmp(record1->fs_type, record2->fs_type) == 0);
are_eq &= (nullcmp_and_strcmp(record1->flags, record2->flags) == 0);
are_eq &= (nullcmp_and_strcmp(record1->src_name, record2->src_name) == 0);
are_eq &= (nullcmp_and_strcmp(record1->class, record2->class) == 0);
are_eq &= (nullcmp_and_strcmp(record1->net_addr, record2->net_addr) == 0);
are_eq &= (nullcmp_and_strcmp(record1->peer_addr, record2->peer_addr) == 0);
return are_eq;
}
typedef struct {
const char* log;
pthread_barrier_t *barrier;
} pthread_parse_args;
void* pthread_parse_log(void* args) {
pthread_parse_args *args_real = (pthread_parse_args *) args;
int barrier_wait_result = pthread_barrier_wait(args_real->barrier);
/* Return NULL and fail test if barrier wait fails */
if (!pthread_barrier_ok(barrier_wait_result)) {
return NULL;
}
aa_log_record *record = parse_record(args_real->log);
return (void*) record;
}
#define NUM_THREADS 16
int main(void) {
pthread_t thread_ids[NUM_THREADS];
pthread_barrier_t barrier;
int barrier_wait_result;
aa_log_record* parsed_logs[NUM_THREADS];
int rc = 0;
/* Set up arguments to be passed to threads */
pthread_parse_args args = {.log=log_line, .barrier=&barrier};
pthread_parse_args args2 = {.log=log_line_2, .barrier=&barrier};
MY_TEST(NUM_THREADS > 2, "Test requires more than 2 threads");
/* Use barrier to synchronize the start of log parsing among all the threads
* This increases the likelihood of tickling race conditions, if there are any
*/
MY_TEST(pthread_barrier_init(&barrier, NULL, NUM_THREADS+1) == 0,
"Could not init pthread barrier");
for (int i=0; i<NUM_THREADS; i++) {
if (i%2 == 0) {
pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args);
} else {
pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args2);
}
}
/* Final barrier_wait to set off the thread race */
barrier_wait_result = pthread_barrier_wait(&barrier);
MY_TEST(pthread_barrier_ok(barrier_wait_result), "Could not wait on pthread barrier");
/* Wait for threads to finish parsing the logs */
for (int i=0; i<NUM_THREADS; i++) {
MY_TEST(pthread_join(thread_ids[i], (void*) &parsed_logs[i]) == 0, "Could not join thread");
}
/* Check that all logs parsed and are equal */
for (int i=0; i<NUM_THREADS; i++) {
MY_TEST(parsed_logs[i] != NULL, "Log failed to parse");
MY_TEST(parsed_logs[i]->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
MY_TEST(parsed_logs[i]->event == AA_RECORD_DENIED, "Log should have parsed as denied");
/* Also check i==0 and i==1 as a sanity check for aa_log_record_eq */
if (i%2 == 0) {
MY_TEST(aa_log_record_eq(parsed_logs[0], parsed_logs[i]), "Log 0 != Log even");
} else {
MY_TEST(aa_log_record_eq(parsed_logs[1], parsed_logs[i]), "Log 1 != Log odd");
}
}
MY_TEST(!aa_log_record_eq(parsed_logs[0], parsed_logs[1]), "Log 0 and log 1 shouldn't be equal");
/* Clean up */
MY_TEST(pthread_barrier_destroy(&barrier) == 0, "Could not destroy pthread barrier");
for (int i=0; i<NUM_THREADS; i++) {
free_record(parsed_logs[i]);
}
return rc;
}

2
libraries/libapparmor/src/tst_features.c
View File

@@ -135,7 +135,7 @@ static int do_test_walk_one(const char **str, const struct component *component,
static int test_walk_one(void)
{
struct component c = (struct component) { NULL, 0 };
struct component c;
const char *str;
int rc = 0;

401
libraries/libapparmor/swig/SWIG/libapparmor.i
View File

@@ -5,98 +5,9 @@
#include <sys/apparmor.h>
#include <sys/apparmor_private.h>
// Include static_assert if the C compiler supports it
// static_assert standardized since C11, assert.h not needed since C23
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && __STDC_VERSION__ < 202311L
#include <assert.h>
#endif
%}
%include "typemaps.i"
%include <cstring.i>
%include <stdint.i>
%include <exception.i>
/*
* SWIG 4.3 included https://github.com/swig/swig/pull/2907 to distinguish
* between Py_None being returned as a default void and Py_None being returned
* as the equivalent of C NULL. Unfortunately, this turns into an API breaking
* change with our use of %append_output when we want the Python function to
* return something even when the C function has a void return type. Thus, we
* need an additional macro to smooth over the differences. Include all affected
* languages, even ones we don't build bindings for, for completeness.
*/
#if SWIG_VERSION >= 0x040300
#ifdef SWIGPYTHON
#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Python_AppendOutput($result, value, 1);}
#elif defined(SWIGRUBY)
#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Ruby_AppendOutput($result, value, 1);}
#elif defined(SWIGPHP)
#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Php_AppendOutput($result, value, 1);}
#else
#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
#endif
#else
#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
#endif
%newobject parse_record;
%delobject free_record;
/*
* Despite its name, %delobject does not hook up destructors to language
* deletion mechanisms. Instead, it sets flags so that manually calling the
* free function and then deleting by language mechanisms doesn't cause a
* double-free.
*
* Additionally, we can manually extend the struct with a C++-like
* destructor. This ensures that the record struct is freed
* automatically when the high-level object goes out of scope.
*/
%extend aa_log_record {
~aa_log_record() {
free_record($self);
}
}
/*
* Generate a no-op free_record wrapper to avoid making a double-free footgun.
* Use rename directive to avoid colliding with the actual free_record, which
* we use above to clean up when the higher-level language deletes the object.
*
* Ideally we would not expose a free_record at all, but we need to maintain
* backwards compatibility with the existing high-level code that uses it.
*/
%rename(free_record) noop_free_record;
#ifdef SWIGPYTHON
%pythonprepend noop_free_record %{
import warnings
warnings.warn("free_record is now a no-op as the record's memory is handled automatically", DeprecationWarning)
%}
#endif
%feature("autodoc",
"This function used to free aa_log_record objects. Freeing is now handled "
"automatically, so this no-op function remains for backwards compatibility.") noop_free_record;
%inline %{
void noop_free_record(aa_log_record *record) {(void) record;}
%}
/*
* Do not autogenerate a wrapper around free_record. This does not prevent us
* from calling it ourselves in %extend C code.
*/
%ignore free_record;
/*
* Map names to preserve backwards compatibility
*/
#ifdef SWIGPYTHON
%rename("_class") aa_log_record::rule_class;
#else
%rename("class") aa_log_record::rule_class;
#endif
%rename("namespace") aa_log_record::aa_namespace;
%include <aalogparse.h>
/**
@@ -110,75 +21,18 @@ warnings.warn("free_record is now a no-op as the record's memory is handled auto
/* apparmor.h */
/*
* label is a heap-allocated pointer, but when label and mode occur together,
* the freeing of label must be deferred because mode points into label.
*
* %cstring_output_allocate((char **label, char **mode), free(*$1))
* does not handle multi-argument typemaps correctly, so we write our own
* typemap based on it instead.
*/
%typemap(in,noblock=1,numinputs=0) (char **label, char **mode) ($*1_ltype temp_label = 0, $*2_ltype temp_mode = 0) {
$1 = &temp_label;
$2 = &temp_mode;
}
%typemap(freearg,match="in") (char **label, char **mode) ""
%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **label, char **mode) {
ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$2));
free(*$1);
}
/*
* mode also occurs in combination with con in aa_splitcon
* typemap based on %cstring_mutable but with substantial modifications
*/
%typemap(in,numinputs=1,fragment="SWIG_AsCharPtrAndSize") (char *con, char **mode) ($*2_ltype temp_mode = 0) {
int alloc_status = 0;
$1_ltype con_ptr = NULL;
size_t con_len = 0;
int char_ptr_res = SWIG_AsCharPtrAndSize($input, &con_ptr, &con_len, &alloc_status);
if (!SWIG_IsOK(char_ptr_res)) {
%argument_fail(char_ptr_res, "char *con", $symname, $argnum);
}
if (alloc_status != SWIG_NEWOBJ) {
// Unconditionally copy because the C function modifies the string in place
$1 = %new_copy_array(con_ptr, con_len+1, char);
} else {
$1 = con_ptr;
}
$2 = &temp_mode;
}
%typemap(freearg,noblock=1,match="in") (char *con, char **mode) {
%delete_array($1);
}
%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char *con, char **mode) {
/*
* aa_splitcon returns either con or NULL so we don't need to explicitly
* append it to the output, and we don't need the ISVOID helper here
*
* SWIG_FromCharPtr does NULL checks for us
*/
%append_output(SWIG_FromCharPtr(*$2));
}
%exception aa_splitcon {
$action
if (result == NULL) {
SWIG_exception_fail(SWIG_ValueError, "received invalid confinement context");
}
}
extern char *aa_splitcon(char *con, char **mode);
/* apparmor_private.h */
extern int _aa_is_blacklisted(const char *name);
#ifdef SWIGPYTHON
%exception {
$action
if (result < 0) {
// Unfortunately SWIG_exception does not support OSError
PyErr_SetFromErrno(PyExc_OSError);
SWIG_fail;
return NULL;
}
}
#endif
@@ -187,248 +41,33 @@ extern char *aa_splitcon(char *con, char **mode);
/* apparmor.h */
/*
* aa_is_enabled returns a boolean as an int with failure reason in errno
* Therefore, aa_is_enabled either returns True or throws an exception
*
* Keep that behavior for backwards compatibilty but return a boolean on Python
* where it makes more sense, which isn't a breaking change because a boolean is
* a subclass of int
*/
#ifdef SWIGPYTHON
%typemap(out) int {
$result = PyBool_FromLong($1);
}
#endif
extern int aa_is_enabled(void);
#ifdef SWIGPYTHON
// Based on SWIG's argcargv.i but we don't have an argc
%typemap(in,fragment="SWIG_AsCharPtr") const char *subprofiles[] (Py_ssize_t seq_len=0, int* alloc_tracking = NULL) {
void* arg_as_ptr = NULL;
int res_convertptr = SWIG_ConvertPtr($input, &arg_as_ptr, $descriptor(char*[]), 0);
if (SWIG_IsOK(res_convertptr)) {
$1 = %static_cast(arg_as_ptr, $1_ltype);
} else {
// Clear error that would be set if ptr conversion failed
PyErr_Clear();
int is_list = PyList_Check($input);
if (is_list || PyTuple_Check($input)) {
seq_len = PySequence_Length($input);
/*
* %new_array zero-inits for cleaner error handling and memory cleanup
* %delete_array(NULL) is no-op (either free or delete), and
* alloc_tracking of 0 is uninit
*
* Further note: SWIG_exception_fail jumps to the freearg typemap
*/
$1 = %new_array(seq_len+1, char *);
if ($1 == NULL) {
SWIG_exception_fail(SWIG_MemoryError, "could not allocate C subprofiles");
}
alloc_tracking = %new_array(seq_len, int);
if (alloc_tracking == NULL) {
SWIG_exception_fail(SWIG_MemoryError, "could not allocate C alloc track arr");
}
for (Py_ssize_t i=0; i<seq_len; i++) {
PyObject *o = is_list ? PyList_GetItem($input, i) : PyTuple_GetItem($input, i);
if (o == NULL) {
// Failed to get item-Python already set exception info
SWIG_fail;
} else if (o == Py_None) {
// SWIG_AsCharPtr(Py_None, ...) succeeds with ptr output being NULL
SWIG_exception_fail(SWIG_ValueError, "sequence contains a None object");
}
int res = SWIG_AsCharPtr(o, &$1[i], &alloc_tracking[i]);
if (!SWIG_IsOK(res)) {
// Could emit idx of error here, maybe?
SWIG_exception_fail(SWIG_ArgError(res), "sequence does not contain all strings");
}
}
} else {
SWIG_exception_fail(SWIG_TypeError, "subprofiles is not a list or tuple");
}
}
}
%typemap(freearg,noblock=1) const char *subprofiles[] {
/*
* If static_assert is present, use it to verify the assumption that
* allocation uninitialized (0) != SWIG_NEWOBJ
*/
%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
/*
* Some older versions of SWIG place this right after a goto label
* This would then be a label followed by a declaration, a C23 extension (!)
* To ensure this works for older SWIG versions and older compilers,
* make this a block element with curly braces.
*/
{static_assert(SWIG_NEWOBJ != 0, "SWIG_NEWOBJ is 0");}
%#endif
if ($1 != NULL && alloc_tracking$argnum != NULL) {
for (Py_ssize_t i=0; i<seq_len$argnum; i++) {
if (alloc_tracking$argnum[i] == SWIG_NEWOBJ) {
%delete_array($1[i]);
}
}
}
%delete_array(alloc_tracking$argnum);
%delete_array($1);
}
#endif
#ifdef SWIGPERL
// Copied from perl's argcargv.i, which should be good enough for us
%typemap(in) (const char *subprofiles[]) {
int i;
SSize_t len;
AV *av = (AV *)SvRV($input);
if (SvTYPE(av) != SVt_PVAV) {
SWIG_croak("in method '$symname', Expecting reference to argv array");
goto fail;
}
len = av_len(av) + 1;
$1 = (char **) malloc((len+1)*sizeof(char *));
for (i = 0; i < len; i++) {
SV **tv = av_fetch(av, i, 0);
$1[i] = SvPV_nolen(*tv);
}
$1[i] = NULL;
}
%typemap(typecheck, precedence=SWIG_TYPECHECK_STRING_ARRAY) (const char *subprofiles[]) {
AV *av = (AV *)SvRV($input);
$1 = SvTYPE(av) == SVt_PVAV;
}
%typemap(freearg) (const char *subprofiles[]) {
free((void *)$1);
}
#endif
/* These should not receive the VOID_Object typemap */
extern int aa_find_mountpoint(char **mnt);
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
extern int aa_change_profile(const char *profile);
extern int aa_change_onexec(const char *profile);
extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
extern int aa_change_hat_vargs(unsigned long token, int count, ...);
extern int aa_stack_profile(const char *profile);
extern int aa_stack_onexec(const char *profile);
/*
* aa_find_mountpoint mnt is an output pointer to a heap-allocated string
*
* This is a replica of %cstring_output_allocate(char **mnt, free(*$1))
* that uses the ISVOID helper to work correctly on SWIG 4.3 or later.
*/
%typemap(in,noblock=1,numinputs=0) (char **mnt) ($*1_ltype temp_mnt = 0) {
$1 = &temp_mnt;
}
%typemap(freearg,match="in") (char **mnt) ""
%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **mnt) {
ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
free(*$1);
}
/* The other errno-based functions should not always be returning the int value:
* - Python exceptions signal success/failure status instead via the %exception
* handler above.
* - Perl (the other binding) has $! for accessing errno but would check the int
* return status first.
*
* The generated C code for (out) resets the return value to None
* before appending the returned data (argout generated by %cstring stuff)
*/
#ifdef SWIGPYTHON
%typemap(out,noblock=1) int {
#if defined(VOID_Object)
$result = VOID_Object;
#endif
}
#endif
/*
* We can't use "typedef int pid_t" because we still support systems
* with 16-bit PIDs and SWIG can't find sys/types.h
*
* Capture the passed-in value as a long because pid_t is guaranteed
* to be a signed integer and because the aalogparse struct uses
* (unsigned) longs to store pid values. While intmax_t would be more
* technically correct, if sizeof(pid_t) > sizeof(long) then aalogparse
* itself would also need fixing.
*/
%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, long pid_large) {
%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
static_assert(sizeof(pid_t) <= sizeof(long),
"pid_t type is too large to be stored in a long");
%#endif
conv_pid = SWIG_AsVal_long($input, &pid_large);
if (!SWIG_IsOK(conv_pid)) {
%argument_fail(conv_pid, "pid_t", $symname, $argnum);
}
/*
* Cast the long to a pid_t and then cast back to check for overflow
* Technically this is implementation-defined behaviour but we should be fine
*/
$1 = (pid_t) pid_large;
if ((long) $1 != pid_large) {
SWIG_exception_fail(SWIG_OverflowError, "pid_t is too large");
}
}
extern int aa_find_mountpoint(char **mnt);
extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
char **mode);
extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
extern int aa_gettaskcon(pid_t target, char **label, char **mode);
extern int aa_getcon(char **label, char **mode);
extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
extern int aa_getpeercon(int fd, char **label, char **mode);
/*
* Typemaps for the boolean outputs of the query functions
* Use boolean types for Python and int types elsewhere
*/
#ifdef SWIGPYTHON
// TODO: find a way to deduplicate these
%typemap(in, numinputs=0) int *allowed (int temp) {
$1 = &temp;
}
%typemap(argout) int *allowed {
ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
}
%typemap(in, numinputs=0) int *audited (int temp) {
$1 = &temp;
}
%typemap(argout) int *audited {
ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
}
#else
%apply int *OUTPUT { int *allowed };
%apply int *OUTPUT { int *audited };
#endif
/* Sync this with the apparmor.h */
/* Permission flags for the AA_CLASS_FILE mediation class */
#define AA_MAY_EXEC (1 << 0)
#define AA_MAY_WRITE (1 << 1)
#define AA_MAY_READ (1 << 2)
#define AA_MAY_APPEND (1 << 3)
#define AA_MAY_CREATE (1 << 4)
#define AA_MAY_DELETE (1 << 5)
#define AA_MAY_OPEN (1 << 6)
#define AA_MAY_RENAME (1 << 7)
#define AA_MAY_SETATTR (1 << 8)
#define AA_MAY_GETATTR (1 << 9)
#define AA_MAY_SETCRED (1 << 10)
#define AA_MAY_GETCRED (1 << 11)
#define AA_MAY_CHMOD (1 << 12)
#define AA_MAY_CHOWN (1 << 13)
#define AA_MAY_LOCK 0x8000
#define AA_EXEC_MMAP 0x10000
#define AA_MAY_LINK 0x40000
#define AA_MAY_ONEXEC 0x20000000
#define AA_MAY_CHANGE_PROFILE 0x40000000
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
extern int aa_query_file_path_len(uint32_t mask, const char *label,
size_t label_len, const char *path,
size_t path_len, int *allowed, int *audited);
extern int aa_query_file_path(uint32_t mask, const char *label,
const char *path, int *allowed, int *audited);
extern int aa_query_link_path_len(const char *label, size_t label_len,
const char *target, size_t target_len,
const char *link, size_t link_len,
int *allowed, int *audited);
extern int aa_query_link_path(const char *label, const char *target,
const char *link, int *allowed, int *audited);

2
libraries/libapparmor/swig/python/Makefile.am
View File

@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
all-local: libapparmor_wrap.c setup.py
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
install-exec-local:
$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

2
libraries/libapparmor/swig/python/setup.py.in
View File

@@ -2,7 +2,7 @@ from setuptools import setup, Extension
import string
setup(name = 'LibAppArmor',
version = '@VERSION@'.replace('~', '-'),
version = '@VERSION@',
author = 'AppArmor Dev Team',
author_email = 'apparmor@lists.ubuntu.com',
url = 'https://wiki.apparmor.net',

3
libraries/libapparmor/swig/python/test/Makefile.am
View File

@@ -15,7 +15,6 @@ PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
TESTS = test_python.py
TESTS_ENVIRONMENT = \
LD_LIBRARY_PATH='$(top_builddir)/src/.libs:$(PYTHON_DIST_BUILD_PATH)' \
PYTHONPATH='$(PYTHON_DIST_BUILD_PATH)' \
PYTHONDONTWRITEBYTECODE='1'
PYTHONPATH='$(PYTHON_DIST_BUILD_PATH)'
endif

4
libraries/libapparmor/swig/python/test/buildpath.py
View File

@@ -7,8 +7,8 @@ import sysconfig
import setuptools
if tuple(map(int, setuptools.__version__.split(".")[:2])) >= (62, 1):
if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
identifier = sys.implementation.cache_tag
else:
identifier = "%d.%d" % sys.version_info[:2]
print("lib.{}-{}".format(sysconfig.get_platform(), identifier))
print("lib.%s-%s" % (sysconfig.get_platform(), identifier))

109
libraries/libapparmor/swig/python/test/test_python.py.in
View File

@@ -55,107 +55,17 @@ NO_VALUE_MAP = {
'fsuid': int(ctypes.c_ulong(-1).value),
'ouid': int(ctypes.c_ulong(-1).value),
}
class AAPythonBindingsTests(unittest.TestCase):
def setUp(self):
# REPORT ALL THE OUTPUT
self.maxDiff = None
def test_aa_splitcon(self):
AA_SPLITCON_EXPECT = [
("unconfined", "unconfined", None),
("unconfined\n", "unconfined", None),
("/bin/ping (enforce)", "/bin/ping", "enforce"),
("/bin/ping (enforce)\n", "/bin/ping", "enforce"),
("/usr/sbin/rsyslog (complain)", "/usr/sbin/rsyslog", "complain"),
]
for context, expected_label, expected_mode in AA_SPLITCON_EXPECT:
actual_label, actual_mode = libapparmor.aa_splitcon(context)
if expected_label is None:
self.assertIsNone(actual_label)
else:
self.assertIsInstance(actual_label, str)
self.assertEqual(expected_label, actual_label)
if expected_mode is None:
self.assertIsNone(actual_mode)
else:
self.assertIsInstance(actual_mode, str)
self.assertEqual(expected_mode, actual_mode)
with self.assertRaises(ValueError):
libapparmor.aa_splitcon("")
def test_aa_is_enabled(self):
aa_enabled = libapparmor.aa_is_enabled()
self.assertIsInstance(aa_enabled, bool)
@unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
def test_aa_find_mountpoint(self):
mount_point = libapparmor.aa_find_mountpoint()
self.assertIsInstance(mount_point, str)
self.assertGreater(len(mount_point), 0, "mount point should not be empty")
self.assertTrue(os.path.isdir(mount_point))
# TODO: test commented out functions (or at least their prototypes)
# extern int aa_change_profile(const char *profile);
# extern int aa_change_onexec(const char *profile);
@unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
def test_change_hats(self):
# Changing hats will fail because we have no valid hats to change to
# However, we still verify that we get an OSError instead of a TypeError
with self.assertRaises(OSError):
libapparmor.aa_change_hat("nonexistent_profile", 12345678)
with self.assertRaises(OSError):
libapparmor.aa_change_hatv(["nonexistent_1", "nonexistent_2"], 0xabcdef)
libapparmor.aa_change_hatv(("nonexistent_1", "nonexistent_2"), 0xabcdef)
# extern int aa_stack_profile(const char *profile);
# extern int aa_stack_onexec(const char *profile);
# extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
# extern int aa_gettaskcon(pid_t target, char **label, char **mode);
@unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
def test_aa_gettaskcon(self):
# Our test harness should be running us as unconfined
# Get our own pid and this should be equivalent to aa_getcon
pid = os.getpid()
label, mode = libapparmor.aa_gettaskcon(pid)
self.assertEqual(label, "unconfined", "aa_gettaskcon label should be unconfined")
self.assertIsNone(mode, "aa_gettaskcon mode should be unconfined")
@unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
def test_aa_getcon(self):
# Our test harness should be running us as unconfined
label, mode = libapparmor.aa_getcon()
self.assertEqual(label, "unconfined", "aa_getcon label should be unconfined")
self.assertIsNone(mode, "aa_getcon mode should be unconfined")
# extern int aa_getpeercon(int fd, char **label, char **mode);
# extern int aa_query_file_path(uint32_t mask, const char *label,
# const char *path, int *allowed, int *audited);
@unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
def test_aa_query_file_path(self):
aa_query_mask = libapparmor.AA_MAY_EXEC | libapparmor.AA_MAY_READ | libapparmor.AA_MAY_WRITE
allowed, audited = libapparmor.aa_query_file_path(aa_query_mask, "unconfined", "/tmp/hello")
self.assertTrue(allowed)
self.assertFalse(audited)
# extern int aa_query_link_path(const char *label, const char *target,
# const char *link, int *allowed, int *audited);
class AALogParsePythonBindingsTests(unittest.TestCase):
def setUp(self):
# REPORT ALL THE OUTPUT
self.maxDiff = None
def _runtest(self, testname):
infile = testname + ".in"
outfile = testname + ".out"
infile = "%s.in" % (testname)
outfile = "%s.out" % (testname)
# infile *should* only contain one line
with open(os.path.join(TESTDIR, infile), 'r') as f:
line = f.read()
@@ -168,7 +78,7 @@ class AALogParsePythonBindingsTests(unittest.TestCase):
expected = self.parse_output_file(outfile)
self.assertEqual(expected, record,
"expected records did not match\n"
"expected = {}\nactual = {}".format(expected, record))
"expected = %s\nactual = %s" % (expected, record))
def parse_output_file(self, outfile):
"""parse testcase .out file and return dict"""
@@ -183,7 +93,7 @@ class AALogParsePythonBindingsTests(unittest.TestCase):
count += 1
if line == "START":
self.assertEqual(count, 1,
"Unexpected output format in " + outfile)
"Unexpected output format in %s" % (outfile))
continue
else:
key, value = line.split(": ", 1)
@@ -208,9 +118,6 @@ class AALogParsePythonBindingsTests(unittest.TestCase):
# FIXME: out files should report log version?
# FIXME: or can we just deprecate v1 logs?
continue
elif key == "thisown":
# SWIG generates this key to track memory allocation
continue
elif key in NO_VALUE_MAP:
if NO_VALUE_MAP[key] == value:
continue
@@ -234,8 +141,8 @@ def main():
for f in find_testcases(TESTDIR):
def stub_test(self, testname=f):
self._runtest(testname)
stub_test.__doc__ = "test " + f
setattr(AALogParsePythonBindingsTests, 'test_' + f, stub_test)
stub_test.__doc__ = "test %s" % (f)
setattr(AAPythonBindingsTests, 'test_%s' % (f), stub_test)
return unittest.main(verbosity=2)

16
libraries/libapparmor/testsuite/test_multi.c
View File

@@ -1,3 +1,5 @@
#define _GNU_SOURCE /* for glibc's basename version */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -5,12 +7,6 @@
#include <aalogparse.h>
static const char *basename(const char *path)
{
const char *p = strrchr(path, '/');
return p ? p + 1 : path;
}
int print_results(aa_log_record *record);
int main(int argc, char **argv)
@@ -107,7 +103,7 @@ int print_results(aa_log_record *record)
print_string("Name", record->name);
print_string("Command", record->comm);
print_string("Name2", record->name2);
print_string("Namespace", record->aa_namespace);
print_string("Namespace", record->namespace);
print_string("Attribute", record->attribute);
print_long("Task", record->task, 0);
print_long("Parent", record->parent, 0);
@@ -119,8 +115,6 @@ int print_results(aa_log_record *record)
print_long("Peer PID", record->peer_pid, 0);
print_string("Active hat", record->active_hat);
print_string("Net Addr", record->net_addr);
print_string("Peer Addr", record->peer_addr);
print_string("Network family", record->net_family);
print_string("Socket type", record->net_sock_type);
print_string("Protocol", record->net_protocol);
@@ -140,9 +134,7 @@ int print_results(aa_log_record *record)
print_string("Flags", record->flags);
print_string("Src name", record->src_name);
print_string("Execpath", record->execpath);
print_string("Class", record->rule_class);
print_string("Class", record->class);
print_long("Epoch", record->epoch, 0);
print_long("Audit subid", (long) record->audit_sub_id, 0);

2
libraries/libapparmor/testsuite/test_multi/file_inherit_network_lp1509030.profile
View File

@@ -1,4 +1,4 @@
/usr/lib/NetworkManager/nm-dhcp-client.action {
network inet6 dgram port=10580,
network inet6 dgram,
}

2
libraries/libapparmor/testsuite/test_multi/file_perm_network_lp1466812.profile
View File

@@ -1,4 +1,4 @@
/usr/sbin/apache2 {
network inet6 stream ip=::ffff:192.168.236.159 port=80 peer=(ip=::ffff:192.168.103.80 port=61985),
network inet6 stream,
}

2
libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1577051.profile
View File

@@ -1,7 +1,7 @@
/usr/sbin/apache2 {
^www.xxxxxxxxxx.co.uk {
network (send) inet6 stream ip=::ffff:192.168.1.100 port=80 peer=(ip=::ffff:192.168.1.100 port=45658),
network inet6 stream,
}
}

2
libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1582374.profile
View File

@@ -1,7 +1,7 @@
/usr/local/apache-tomcat-8.0.33/bin/catalina.sh {
^/usr/local/jdk1.8.0_92/bin/java {
network (receive) inet6 stream ip=::ffff:127.0.0.1 port=8080 peer=(ip=::ffff:127.0.0.1 port=52308),
network inet6 stream,
}
}

0
libraries/libapparmor/testsuite/test_multi/file_xm.err
View File

1
libraries/libapparmor/testsuite/test_multi/file_xm.in
View File

@@ -1 +0,0 @@
type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage"

16
libraries/libapparmor/testsuite/test_multi/file_xm.out
View File

@@ -1,16 +0,0 @@
START
File: file_xm.in
Event type: AA_RECORD_DENIED
Audit ID: 1676978994.840:1493
Operation: link
Mask: xm
Denied Mask: xm
fsuid: 250
ouid: 250
Profile: cargo
Name: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib
Command: cargo
Name2: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib
PID: 12412
Epoch: 1676978994
Audit subid: 1493

4
libraries/libapparmor/testsuite/test_multi/file_xm.profile
View File

@@ -1,4 +0,0 @@
profile cargo {
owner /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib m,
}

0
libraries/libapparmor/testsuite/test_multi/testcase36.err
View File

1
libraries/libapparmor/testsuite/test_multi/testcase36.in
View File

@@ -1 +0,0 @@
2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122

15
libraries/libapparmor/testsuite/test_multi/testcase36.out
View File

@@ -1,15 +0,0 @@
START
File: testcase36.in
Event type: AA_RECORD_AUDIT
Audit ID: 1737963096.225:3240
Operation: getattr
Mask: r
fsuid: 122
ouid: 122
Profile: /usr/sbin/mosquitto
Name: /etc/mosquitto/pwfile
Command: mosquitto
PID: 8119
Class: file
Epoch: 1737963096
Audit subid: 3240

4
libraries/libapparmor/testsuite/test_multi/testcase36.profile
View File

@@ -1,4 +0,0 @@
/usr/sbin/mosquitto {
/etc/mosquitto/pwfile r,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.err
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.in
View File

@@ -1 +0,0 @@
[ 4584.703379] audit: type=1400 audit(1680266735.359:69): apparmor="DENIED" operation="uring_sqpoll" class="io_uring" profile="/root/apparmor/tests/regression/apparmor/io_uring" pid=1320 comm="io_uring" requested="sqpoll" denied="sqpoll"

13
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.out
View File

@@ -1,13 +0,0 @@
START
File: testcase_io_uring_01.in
Event type: AA_RECORD_DENIED
Audit ID: 1680266735.359:69
Operation: uring_sqpoll
Mask: sqpoll
Denied Mask: sqpoll
Profile: /root/apparmor/tests/regression/apparmor/io_uring
Command: io_uring
PID: 1320
Class: io_uring
Epoch: 1680266735
Audit subid: 69

4
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.profile
View File

@@ -1,4 +0,0 @@
/root/apparmor/tests/regression/apparmor/io_uring {
io_uring sqpoll,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.err
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.in
View File

@@ -1 +0,0 @@
[ 4584.491076] audit: type=1400 audit(1680266735.147:63): apparmor="DENIED" operation="uring_override" class="io_uring" profile="/root/apparmor/tests/regression/apparmor/io_uring" pid=1193 comm="io_uring" requested="override_creds" denied="override_creds" tcontext="/root/apparmor/tests/regression/apparmor/io_uring"

14
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.out
View File

@@ -1,14 +0,0 @@
START
File: testcase_io_uring_02.in
Event type: AA_RECORD_DENIED
Audit ID: 1680266735.147:63
Operation: uring_override
Mask: override_creds
Denied Mask: override_creds
Profile: /root/apparmor/tests/regression/apparmor/io_uring
Peer profile: /root/apparmor/tests/regression/apparmor/io_uring
Command: io_uring
PID: 1193
Class: io_uring
Epoch: 1680266735
Audit subid: 63

4
libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.profile
View File

@@ -1,4 +0,0 @@
/root/apparmor/tests/regression/apparmor/io_uring {
io_uring override_creds label=/root/apparmor/tests/regression/apparmor/io_uring,
}

2
libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile
View File

@@ -1,4 +1,4 @@
/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mount_02.err
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in
View File

@@ -1 +0,0 @@
type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

14
libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out
View File

@@ -1,14 +0,0 @@
START
File: testcase_mount_02.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1715045678.914:344186
Operation: mount
Profile: steam
Name: /newroot/dev/
Command: srt-bwrap
Info: failed flags match
ErrorCode: 13
PID: 26487
Flags: rw, nosuid, nodev, remount, bind, silent, relatime
Epoch: 1715045678
Audit subid: 344186

4
libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile
View File

@@ -1,4 +0,0 @@
profile steam {
mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.err
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.in
View File

@@ -1 +0,0 @@
Apr 05 19:36:19 ubuntu kernel: audit: type=1400 audit(1649187379.660:255): apparmor="DENIED" operation="create" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=791 comm="posix_mq_rcv" requested="create" denied="create" class="posix_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.out
View File

@@ -1,16 +0,0 @@
START
File: testcase_mqueue_01.in
Event type: AA_RECORD_DENIED
Audit ID: 1649187379.660:255
Operation: create
Mask: create
Denied Mask: create
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
Name: /queuename
Command: posix_mq_rcv
PID: 791
Class: posix_mqueue
Epoch: 1649187379
Audit subid: 255

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.profile
View File

@@ -1,4 +0,0 @@
/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
mqueue create type=posix /queuename,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.err
View File

2
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.in
View File

@@ -1,2 +0,0 @@
Apr 05 19:36:29 ubuntu kernel: audit: type=1400 audit(1649187389.828:262): apparmor="DENIED" operation="open" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=848 comm="posix_mq_rcv" requested="read create" denied="read" class="posix_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.out
View File

@@ -1,16 +0,0 @@
START
File: testcase_mqueue_02.in
Event type: AA_RECORD_DENIED
Audit ID: 1649187389.828:262
Operation: open
Mask: read create
Denied Mask: read
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
Name: /queuename
Command: posix_mq_rcv
PID: 848
Class: posix_mqueue
Epoch: 1649187389
Audit subid: 262

4
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.profile
View File

@@ -1,4 +0,0 @@
/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
mqueue read type=posix /queuename,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.err
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.in
View File

@@ -1 +0,0 @@
Apr 05 19:36:39 ubuntu kernel: audit: type=1400 audit(1649187399.973:265): apparmor="DENIED" operation="unlink" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=897 comm="posix_mq_rcv" requested="delete" denied="delete" class="posix_mqueue" fsuid=0 ouid=0

16
libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.out
View File

@@ -1,16 +0,0 @@
START
File: testcase_mqueue_03.in
Event type: AA_RECORD_DENIED
Audit ID: 1649187399.973:265
Operation: unlink
Mask: delete
Denied Mask: delete
fsuid: 0
ouid: 0
Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
Name: /queuename
Command: posix_mq_rcv
PID: 897
Class: posix_mqueue
Epoch: 1649187399
Audit subid: 265

Some files were not shown because too many files have changed in this diff Show More