Fix for #253, by mirroring the change from 1c23f5e1e4
On top of that, fix setuptools version detection in buildpath.py. libraries/libapparmor/swig/python/test/buildpath.py: The changes introduced in cc7f549665 targetted a wrong setuptools version (61.2). The change in build directory naming has been introduced with 62.0.
Fixes#259Fixes#39
The first 3 commits are based on https://gitlab.com/apparmor/apparmor/-/merge_requests/897, the other two come from https://gitlab.com/apparmor/apparmor/-/merge_requests/904. Since there are several differences between 2.13 and >= 3.0, I had to adjust the patches at several places.
I propose this MR for 2.11, 2.12 and 2.13.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/910
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3c047517a4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... which will be removed in Python 3.12, and that probably won't be
used on systems running the AppArmor 2.1x branches.
This prevents CI failures on gitlab.com, which uses a new-enough python
to show
DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
For 3.0 and master, the proper fix (switching to setuptools) was done in
!813.
I propose this patch for 2.11, 2.12 and 2.13.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/908
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit fd1b463643)
ca3e5be5 Grep away deprecation warning for distutils
similar to commit 2f9d172c64
we discovered that there was a service outage
when dovecot tried to send a usr1 signal
type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 83685ba703)
f0919f83 Allow dovecot to use all signals
Fix typo in manpage
Closes#192
See merge request apparmor/apparmor!789
Acked-by: Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches
(cherry picked from commit 131ae8425b)
1459f49b Fix typo in manpage
Currently for directory includes the directory timestamp is ignored.
This is wrong as operations like removing a file from the dir won't
be considered in the timestamp check.
Fix this by updating the timestamp check to include the included
directories timestamp.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/760
Signed-off-by: John Johansen <john@jjmx.net>
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 3d1232e640)
The following errors are happening on the regression tests
of i18n.sh on arm64 hirsute/impish:
Error: open failed. Test 'i18n (194) OPEN (octal) "/tmp/sdtest.3654-6536-J2ZwFM/file__post" RW' was expected to 'pass'. Reason for failure 'FAIL: open /tmp/sdtest.3654-6536-J2ZwFM/file__post failed - Permission denied'
...
The cause is a bash bug handling UTF-8 on subshells.
Fixes: https://bugs.launchpad.net/apparmor/+bug/1932331
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/765
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 458a981b62)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
dhclient wants to set its thread names to functional names for
introspection purposes. Eg.
$ pstree -at 3395
dhclient ens3
├─{isc-socket}
├─{isc-timer}
└─{isc-worker0000}
When denied this can result in dhclient breaking and failing to obtain
IPv4 addresses.
Fixes: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit c734839551)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is failing to properly filter the slashes in the link name
after variable expansion. Causing match failures when multiple slashes
occur.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/153
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/723
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2852e1ecdf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently the wutmp abstraction has the following rules:
/var/log/lastlog rwk,
/var/log/wtmp wk,
@{run}/utmp rwk,
According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule? The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d4e0a94511)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The backport of
855dbd4a parser: fix rule downgrade for unix rules
using the rule_t::warn_once which doesn't exist in the 2.x parser
series. Switch this the the static function warn_once.
Fixes: ff392e6f parser: fix rule downgrade for unix rules
Signed-off-by: John Johansen <john.johansen@canonical.com>
Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.
Eg. On a kernel that doesn't support fine grained af_unix mediation
but does support network mediation.
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
network unix type=stream,
Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.
Eg.
deny unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
deny network unix type=stream,
and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.
To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/700
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 855dbd4ac8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
My main user account is managed by systemd-homed. When I enable
AppArmor and have nscd running, I get inconsistent behavior with my
user account - sometimes I can't log in, sometimes I can log in but
not use sudo, etc.
This is the output of getent passwd:
$ getent passwd
root❌0:0::/root:/usr/bin/zsh
bin❌1:1::/:/sbin/nologin
daemon❌2:2::/:/sbin/nologin
mail❌8:12::/var/spool/mail:/sbin/nologin
ftp❌14:11::/srv/ftp:/sbin/nologin
http❌33:33::/srv/http:/sbin/nologin
nobody❌65534:65534:Nobody:/:/sbin/nologin
dbus❌81:81:System Message Bus:/:/sbin/nologin
[...]
rose❌1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh
But getent passwd rose and getent passwd 1000 both return no output.
Stopping nscd.service fixes these problems. Checking the apparmor
logs, I noticed that nscd was denied access to
/etc/machine-id. Allowing access to that file seems to have fixed the
issue.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/707
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/145
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit ee5303c8a0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1
Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:
Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert
...
Fixes: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1777070
Reported-by: Xav Paice <xav.paice@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/684
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 656f2103ed)
Signed-off-by: John Johansen <john.johansen@canonical.com>
job scaling allows the parser to resample the number of cpus available
and increase the number of jobs that can be launched if cpu available
increases.
Unfortunately job scaling was being applied even when a fixed number
of jobs was specified. So
--jobs=2
doesn't actually clamp the compile at 2 jobs.
Instead job scaling should only be applied when --jobs=auto or when
jobs are set to a multiple of the cpus.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/703
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 65ba20b955)
So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.
Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'
Prevent this crash by explicitely loading the abstractions on start.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682
(cherry picked from commit f6b3de7116)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
(cherry picked from commit 07bd11390e)
Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```
This results in fatal error:
```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```
Add rule to allow reading dh.pem.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a1978fb1b2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 35f6d49ec6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently mount options type= and options= do not expand variables
but they should. Fix it.
Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 882380ad3d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 47263a3a74)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 9a8fee6bf1)
prologue.inc:settest() in same cases invokes a sed command that uses
'~' as a pattern separator, on things that can contain filesystem
paths. However, in the debian/ubuntu world, '~' can be used in version
strings, particularly for pre-release versions, and when this happens
and the version is embedded in the path, the sed command breaks
because of the extraneous separator. Fix this by using '#' as a
separator, which has the benefit of being considered a comment if
accidentally interpreted by a shell.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/599
(cherry picked from commit efc6590409)
Signed-off-by: John Johansen <john.johansen@canonical.com>
These capabilities were introduced in Linux 5.8
References: https://bugs.launchpad.net/bugs/1890547
(cherry picked from commit ae01250209)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to the profiles/ check using the python utilities, the
tests for the python utilities were not including the path for the
swig libapparmor library in the LD_LIBRARY_PATH variable, only in
PYTHONPATH. This commit fixes that, renaming the variable used for
the built libapparmor check.
v2:
- actually use the LIBAPPARMOR_PATH variable when defining
LD_LIBRARY_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The commit c8b6d8b393 ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
When running the 'check-logprof' test using tools in the tree,
libapparmor needs to have been built for the python utilities to work.
Add a check for its existence to the test-dependencies target.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The "local" make target does not depend on the parser having been
built. Create a separate "test-dependencies" target and have the tests
that need them depend on that and the "local" target, when validating
the profile set against the apparmor tools.
Fixes: c8b6d8b393
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit c8b6d8b393)
Seen on openSUSE Tumbleweed with the mail users in a mysql database.
(cherry picked from commit f7ab91f423)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed when using the "apparmor" plugin which means dovecot
switches to user-specific hats.
Seen on openSUSE Tumbleweed.
(backported from commit 6a388859f8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
(cherry picked from commit 373e8e23b1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
