Fix for #253, by mirroring the change from 1c23f5e1e4
On top of that, fix setuptools version detection in buildpath.py. libraries/libapparmor/swig/python/test/buildpath.py: The changes introduced in cc7f549665 targetted a wrong setuptools version (61.2). The change in build directory naming has been introduced with 62.0.
Fixes#259Fixes#39
The first 3 commits are based on https://gitlab.com/apparmor/apparmor/-/merge_requests/897, the other two come from https://gitlab.com/apparmor/apparmor/-/merge_requests/904. Since there are several differences between 2.13 and >= 3.0, I had to adjust the patches at several places.
I propose this MR for 2.11, 2.12 and 2.13.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/910
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3c047517a4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.
Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0
Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```
After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```
And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
(cherry picked from commit 5053a01d84)
This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.
I propose this patch for 3.0 and all 2.x branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/859
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit c6324c2a3e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.
Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'
Prevent this crash by explicitely loading the abstractions on start.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682
(cherry picked from commit f6b3de7116)
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 7cf54f2cd8 /
ca0d9f758b)
Note that the original commit also included fixes for de.po and sv.po
which are not needed in the 2.12 branch.
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
(cherry picked from commit 07bd11390e)
These capabilities were introduced in Linux 5.8
References: https://bugs.launchpad.net/bugs/1890547
(cherry picked from commit ae01250209)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Nobody told the tools that log events with operation="symlink" exist.
Add this keyword to the list of file or network operations (I don't
expect network symlinks ;-) but keeping everything in that list makes
things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/107
(cherry picked from commit 98bf187323)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to the profiles/ check using the python utilities, the
tests for the python utilities were not including the path for the
swig libapparmor library in the LD_LIBRARY_PATH variable, only in
PYTHONPATH. This commit fixes that, renaming the variable used for
the built libapparmor check.
v2:
- actually use the LIBAPPARMOR_PATH variable when defining
LD_LIBRARY_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
[2.11..2.13] fix setting apparmor.aa.profile_dir in some tests
cherry picked from commit 6fe4b5e59a -
but only the test-aa.py changes because test-profile-list.py didn't have
the affected tests in 2.13 yet.
See merge request apparmor/apparmor!574
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..2.13
(cherry picked from commit ac4bf706e5)
583ea724 fix setting apparmor.aa.profile_dir in some tests
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
(cherry picked from commit 373e8e23b1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor.vim: allow leading whitespace for alias rules
See merge request apparmor/apparmor!527
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit ae70ecfbaa)
c636580f apparmor.vim: allow leading whitespace for alias rules
less shell ;-)
See merge request apparmor/apparmor!520
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6b55794074)
48bae9e3 less shell ;-)
[2.11..2.13] Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!516
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.12 and 2.13
(cherry picked from commit eb5185c961)
6e9dd649 Split off UI_ShowFile() from UI_Changes
da07cdf7 Fix showing the local inactive profile in json mode
apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit a4864146e2)
efa7c6d6 apparmor.vim: support 'include if exists'
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
(cherry picked from commit b017f8f8a9)
001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage
Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com> for 2.10..master
(cherry picked from commit db1f391844)
8f74ac02 Fix crash on unbalanced parenthesis in filename
When dc010bc034 was
backported to the apparmor-2.13 branch (in commit
75236d62e2), it did not take into
account cb8c3377ba, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0c65b9aeb9)
[2.11..2.13] handle_children: Fix denying of adding a hat
See merge request apparmor/apparmor!378
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d2e83231f0)
87f91864 handle_children: Fix denying of adding a hat
Fix error 'KeyError: 'logfiles'' when no logprof.conf exists
See merge request apparmor/apparmor!365
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit cece787182)
455c4413 aa.py: Ensure there is always a fallback falue for the logfile location
3c7e1668 aa.py: Indicate permission error if log file is found but cannot be opened
update network keyword list in utils and add test
See merge request apparmor/apparmor!350
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit dc010bc034)
49849ed7 update network keyword list in utils and add test
Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)
(cherry picked from commit b4ab8476e4)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/merge_requests/331
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
(cherry picked from commit 03ea5b82b7)
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f1839 the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 8b4e76a7d5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In the 2.13 branch (and older), 'options' is not always a dict, but can
also be None or an empty string.
Adjust the if condition in serialize_profile() so that "View changes
between clean profiles" doesn't error out.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
Signed-off-by: John Johansen <john.johansen@canonical.com>
Technical stuff first:
Replace existing_profiles (a dict with the filenames for both active and
inactive profiles) with active_profiles and extra_profiles which are
ProfileList()s and store the active profiles and those in the extra
directory separately. Thanks to ProfileList, now also the relation
between attachments and filenames is easily available.
Also replace all usage of existing_profiles with active_profiles and
extra_profiles, and adjust it to the ProfileList syntax everywhere.
With this change, several bugs in aa-complain and the other minitools
get fixed:
- aa-complain etc. never found profiles that have a profile name
(the attachment wasn't checked)
- even if the profile name was given as parameter to aa-complain, it
first did "which $parameter" so it never matched on named profiles
- profile names with alternations (without attachment specification)
also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
(search for "As usual" ;-)
Just for completeness - the matching still doesn't honor/expand
variables in the profile name.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 4d722f1839)
Signed-off-by: John Johansen <john.johansen@canonical.com>
ProfileList is meant to store the list of profiles (both name and
attachment) and in which files they live.
Also add unittests to make sure everything works as expected.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 789c4658e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
parse_profile_data() returns the parsed profiles, but writes to
existing_profiles directly.
read_profiles() calls parse_profile_data() and already handles adding
the parsed profiles to aa, original_aa or extras, which means updating
existing_profiles there is a much better place.
This commit also includes a hidden change: Previously, when parsing
include files, they were also added to existing_profiles. This is
superfluous, only real profiles need to be stored there.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 8809218ac8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Split get_profile_filename() into
- get_profile_filename_from_profile_name() (parameter: a profile name)
- get_profile_filename_from_attachment() (parameter: an attachment)
Currently both functions call get_profile_filename_orig() (formerly
get_profile_filename()) so the behaviour doesn't change yet.
The most important part of this commit is changing all
get_profile_filename() calls to use one of the new functions to make
clear if they specify a profile or an attachment/executable as
parameter.
As promised, the is_attachment parameter starts to get used in this
patch ;-)
Note: The get_new parameter (which I'll explain in the patch actually
using it) is set to True in all calls to the new functions.
The long term plan is to get rid of it in most cases (hence defaulting
to False), but that will need more testing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit ec741424f8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The minitools call write_profile(), write_profile_feedback_ui() and
serialize_profile() with the _attachment_ as parameter.
However, aa-logprof etc. call them with the _profile name_ as parameter.
This patch adds an is_attachment parameter to write_profile() and
write_profile_feedback_ui(). It also passes it through to
serialize_profile() via the options parameter.
If is_attachment is True, the parameter will be handled as attachment,
otherwise it is expected to be a profile name.
tools.py gets changed to set is_attachment to True when calling the
functions listed above to make clear that the parameter is an attachment.
Note: This patch only adds the is_attachment parameter/option, but
doesn't change any behaviour. That will happen in the next patch.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit bc783372b8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
(cherry picked from commit 4efff35bf8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.12+2.13] use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!267
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
(cherry picked from commit f4d7f8ae57)
dd4c2b05 use serialize_profile() for the new profile in (V)iew Changes
1b32d764 delete serialize_profile_from_old_profile()
This is a backport of !239
commit 2209e09aef
Author: nl6720 <nl6720@gmail.com>
aa-notify man page: update user's configuration file path
Signed-off-by: nl6720 <nl6720@gmail.com>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 93445ca02d)
bc492533 Fix aa-mergeprof crash caused by accidentially initialzed hat
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8c6)
backport "Set flags for profiles represented by a glob" to 2.12
Backport/cherry-pick 5e187daa ("Set flags for profiles represented by a glob") and the follow-up fixes f472b6bb and 0dca959c to 2.12.
Besides backporting this "bugfix feature" to 2.12, this is needed to fix minitools_test.py.
See merge request apparmor/apparmor!218
Acked-by: John Johansen <john.johansen@canonical.com>
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 1fb9acc59e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
