Separate out the aa-status json version info out from being a magic
element embedded in a string in the middle of the json emitter, and move
it to an early location, along with a comment to edit it whenthe format
changes.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://gitlab.com/apparmor/apparmor/-/merge_requests/517
aa-status output has changed slightly to account for the newer profile
modes. This means the json version needs to be bumped so consumers
can detect the change.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/508
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Move suggested bug reporting from launchpad to gitlab
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
AppArmor 3 exposes kernel support for the kill and unconfined profile
modes. Make sure aa-status has basic support for these modes.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Processes that are confined by multiple profiles in a stack can have
more than one profile mode applied. Allow aa-status to report
processes that are in a mixed profile confinement mode.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Switch aa-status over to using the libapparmor proc accessor. This
will ensure that aa-status works correctly under LSM stacking kernels,
and if other new interfaces are added in the future.
Also at the same time switch over the splitting of context's to
the library provided aa_splitcon() fn.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Make aa-enabled able to distinguish being enabled and enabled without
access to the shared LSM iterfaces.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When libintl is available on the system, we need to link against the
libintl library too.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
The aa-exec tool was indicating, in an error message, that a profile
didn't exist in cases where aa_change_profile() failed with errno set to
ENOENT or EACCES. However, the EACCES error means that changing to the
target profile is not allowed. This patch fixes the error message in the
cause of EACCES:
$ ./aa-exec -p dne -- true
aa-exec: ERROR: profile 'dne' does not exist
$ ./aa-exec -p /usr/sbin/tcpdump -- ./aa-exec -p unconfined -- true
aa-exec: ERROR: insufficient permissions to change to the profile 'unconfined'
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Add the pid of the process to the error, debug, and verbose output. This
is useful for debugging.
For example,
$ aa-exec -v -- whoami
[30389] exec whoami
tyhicks
$ aa-exec -p dne -- true
[30390] aa-exec: ERROR: profile 'dne' does not exist
$ aa-exec -d -p unconfined -- true
[30409] aa-exec: DEBUG: 0 = aa_change_onexec("unconfined")
It can also help when multiple aa-exec invocations are used across a
fork and exec. Here's a contrived example:
$ aa-exec -v -- \
sh -c 'aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true'
[3424] exec sh -c aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true
[3425] aa_change_onexec("/usr/sbin/tcpdump")
[3425] exec aa-exec -p unconfined -- true
[3425] aa-exec: ERROR: profile 'unconfined' does not exist
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Exit rather than returning from shell snippets in Makefiles. It is
reported that returning causes the following error message with bash:
/bin/sh: line 4: return: can only `return' from a function or sourced script
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
Make the possible exit status values bold to match the style used in
aa-status.pod as of r3680.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This commit touches up the .po files that generate warnings
when msgfmt processes them to create .mo files, at least with gettext
0.19.7-2ubuntu3 in Ubuntu 16.04 LTS. Example warning types cleaned up
include:
ce.po:7: warning: header field 'Last-Translator' still has the initial default value
ce.po:7: warning: header field 'Language' missing in header
de.po:6: warning: header field 'Language-Team' still has the initial default value
This commit also fixes up po files where the Report-Msgid-Bugs-To:
field had not been updated, setting it with the email address
'AppArmor list <apparmor@lists.ubuntu.com>'
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
binutils 'make install' failed if 'make' wasn't run before.
This patch adds the missing dependency 'install-indep: indep'
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The binutils (aa-enabled and aa-exec) get installed into /usr/bin/ and
are meant to be used by non-root users. Therefore the manpages should be
in section 1 instead of 8 (which is for sysadmin commands).
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The new C based aa-exec does not implement the --file option.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
binutils/, and point the regression test to the C based aa-exec in
binutils/.
Note that the new C aa-exec does not implement the --file option which
was present in the Perl aa-exec. It encouraged running programs as root,
since root privileges were required to load the specified profile.
All other features of the Perl aa-exec are present in the C aa-exec.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
