Merge from trunk revision 2647
The upstream kernel at some point between the 3.13 and 3.16 kernel
adjusted the output of audit messages to include an additional "audit:"
keyword. e.g. a 3.13 message would look like:
kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]
whereas in 3.16, it looks like:
kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
^^^^^^
This patch adjust the libapparmor aalogparse grammar and lexer to
compensate for this change.
Nominated-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch fixes some memory leaks in the libapparmor log parsing
functions, specifically around handling records obtained from syslog
and records containing network addresses.
Bug: https://bugs.launchpad.net/bugs/1340927
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from trunk commit rev 2329.
This patch fixes the format string for the magic token in aa_change_hat
to match the type of the magic token (long). Without this, on 64
bit platforms, only the bottom 32 bits of the token would be used.
aa_change_hatv() has the correct format string, so an aa_change_hatv()
call followed by an exiting aa_change_hat() call would result in the
latter having a different token, which would cause the process to be
killed by apparmor.
(Hat tip to John Johansen for spotting the actual bug.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk revision 2295:
libtoolize is the standard mechanism for incorporating libtool support
into a library; however, libapparmor's autogen.sh script specifically
looks for the existence of the libtool binary rather than libtoolize.
The libtoolize tool automatically generates a libtool script and does
not require the existence of the libtool binary, so we no longer need
to check for it.
The autogen.sh script aborting because it can't find the libtool
binary causes a spurious build failure in Ubuntu 14.04, due to the
libtool binary being separated out into its own package, and which
is not a strict dependency for libtool.
(I also added setting the package variable so that the error message
emitted will indicate that the failure is in building libapparmor.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
https://bugs.launchpad.net/apparmor/+bug/1196880
Patch by Gernot Vormayr <gvormayr@gmail.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk commit 2108
Author: Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Modifiy the libapparmor macro for python to use python-config if it
exists to determine what CPPFLAGS and LDFLAGS to use when building
the python swig libraries. Without this addition, python detection
fails on ubuntu 13.04. I've confirmed that with this patch applied,
the python libraries still build successfully on older releases as well
(as far back as ubuntu 11.10).
the 2.8 branch.
Original commit message:
committer: Jamie Strandboge <jamie@canonical.com>
Initial port to python3 for utilities. Thanks to Dmitrijs Ledkovs
Acked-By: Jamie Strandboge <jamie@canonical.com>
Most of trunk r2052 also applies to the 2.8 branch. The only difference
is the last section of changes in utils/vim/create-apparmor.vim.py
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Skimmed-by: Seth Arnold <seth.arnold@canonical.com>
time formats. As this is causing failures on some systems
currently the only supported format is
<Month> ## hh:mm:ss
extend this to
<Month> ## hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-dd hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-ddThh:mm:ss(.ms)?((+|-)timezone)?
Merge from trunk commit 2079
Original message:
Given that we want to do more apparmor things in user space (dbus
mediation, file picker, etc.), making it easier for other source bases
to detect the presence of libapparmor would be beneficial. This patch
adds pkg-config support to the build infrastructure for libapparmor.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
$CPPFLAGS. Additionally, do not repeat compiler flags for automake
targets that already include them, and pass more flags to the Perl build.
Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826https://bugzilla.novell.com/show_bug.cgi?id=755923
This patch modifies the libapparmor log parsing code to add support
for the additional ip address and port keywords that can occur in
network rejection rules. The laddr and faddr keywords stand for local
address and foreign address respectively.
The regex used to match an ip address is not very strict, to hopefully
catch the formats that the kernel emits for ipv6 addresses; however,
because this is in a context triggered by the addr keywords, it should
not over-eagerly consume non-ip addresses. Said addresses are returned
as strings in the struct to be processed by the calling application.
Bug: https://launchpad.net/bugs/800826
aa_getprocattr is returning the size of the buffer not the size of the
data read that it is supposed to return. Also update the man page to
reflect the return value as documented in the functions, and update
the test cases to check the return value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Steve Beattie <sbeattie@ubuntu.com>
While aa_getprocattr does return the documented error code on failure
the **buf and **mode parameters can point into the buffer that was
allocated and then discarded on failure.
Set them to null on failure so that even if the error code is ignored
they do not point to heap data.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
From: Kees Cook <kees@ubuntu.com>
This is a trivial manpage fix that makes pod2man stop yelling at me.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
From: Steve Beattie <sbeattie@ubuntu.com>
This patch adds --stderr to pod2man to make it report errors, as well as
fixes a few other minor text issues I noticed.
Acked-by: Kees Cook <kees@ubuntu.com>
entries where the comm entry has been hex-encoded. This occurs when the
binary being confined contains a space or other problematic character in
its filename. A test case is included.
This documentation should have been checked in as part of the patches
that added aa_is_confined and aa_get_con.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The define for pid_t is missing in apparmor.h so that if it is included
in programs that don't also include sys/types.h the compile will break.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Some non-Linux systems do not define PATH_MAX (Hurd). Since I have no
interest in supporting a fully dynamic PATH_MAX in AppArmor, work around
this by just defining a static value that matches Linux's limits.h value.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
since things go extremely badly when capabilities disappear. If someone
wants to work on it, I have some initial patch attempts, but it was getting
too time-consuming, so I back-burnered the parser. A very small change was
needed to get the libraries to build, and this is it.
Description: Workaround non-Linux environments to build everything but the
parser.
Author: Kees Cook <kees@debian.org>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Rename change_hat.c to kernel_interface.c to better reflect that it
is providing multiple kernel_interfaces.
Signed-off-by: John Johansen <john.johansen@canonical.com>
