Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d257afd309)
622fc44b Add xdg-open (and friends) abstraction
af278ca6 exo-open: Fix denials on OpenSUSE
f07f0771 exo-open: Allow playing alert sounds
80514906 kde-open5: use dbus-network-manager-strict abstraction
ac08dc66 kde-open5: fix denies Ubuntu Eoan
501aada8 gio-open: fix denies Ubuntu Eoan
0a55babe exo-open: do not enable a11y by default
e77abfa5 exo-open: update comment about DBUS denial
d35faafd kde-open5: do not enable a11y by default
8b481d46 kde-open5: do not enable gstreamer support by default
162e5086 xdg-open: update usage example
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit eeac8c11c9)
abstractions/mesa: allow checking if the kernel supports the i915 perf interface
See merge request apparmor/apparmor!464
Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit f56bab3f75)
61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca)
This reverts commit 378519d23f.
this commit was meant for the 2.13 branch not master
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9144e39d25)
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377ba)
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf920929)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/gnome: also allow /etc/xdg/mimeapps.list
See merge request apparmor/apparmor!444
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 3becbbab2c)
67cf4fa3 abstractions/gnome: also allow /etc/xdg/mimeapps.list
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit 1cfd4d4bbc)
ee7194a7 Allow /usr/etc/ in abstractions/authentication
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c284)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
(cherry picked from commit b017f8f8a9)
001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage
Fix a Python 3.8 autoconf check
See merge request apparmor/apparmor!430
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
Acked-by: Steve Beattie <steve@nxnw.org> for master and 2.13
(cherry picked from commit 3db14e8e49)
ccbf1e0b Fix a Python 3.8 autoconf check
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
(cherry picked from commit c5968c70d0)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/420
Signed-off-by: John Johansen <john.johansen@canonical.com>
Bug-Debian: https://bugs.debian.org/935058
Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.
(cherry picked from commit c006f79141)
MR: https://gitlab.com/apparmor/apparmor/merge_requests/419
Bug-Debian: https://bugs.debian.org/935058
Signed-off-by: John Johansen <john.johansen@canonical.com>
Correct the long option used to print the cache directory.
Fixes: e9d9395f91 ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit 50e34b45c2)
Ref: https://gitlab.com/apparmor/apparmor/merge_requests/406
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com> for 2.10..master
(cherry picked from commit db1f391844)
8f74ac02 Fix crash on unbalanced parenthesis in filename
When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.
Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: https://gitlab.com/apparmor/apparmor/issues/41
(cherry picked from commit 654d96a3f7)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
PR: https://gitlab.com/apparmor/apparmor/merge_requests/395
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0349cf2d0a)
[2.10..2.13] Add for Certbot on openSUSE Leap
See merge request apparmor/apparmor!398
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
The default path is /etc/certbot/archive/{some domain}/{file name}.pem
See merge request apparmor/apparmor!397
This is a manual cherry-pick of 4d275bab69
and 3016ffb336
[2.13] parser: allow using a custom sbin & usr/sbin dir
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf)
Cherry-pick requested in https://gitlab.com/apparmor/apparmor/issues/38
See merge request apparmor/apparmor!393
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.
We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: https://gitlab.com/apparmor/apparmor/merge_requests/396
(cherry picked from commit 7c7a4bc531)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf)
Found this path is used by gtk_compose_hash_get_cache_path() in
gtkcomposetable.c.
(cherry picked from commit 6da7ed2a78)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This addresses https://launchpad.net/bugs/1575438 and also the case of
applications accessing the socket directly (due to NSS config).
(cherry picked from commit ac1d0545f4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
(cherry picked from commit f2e0fdc72b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When dc010bc034 was
backported to the apparmor-2.13 branch (in commit
75236d62e2), it did not take into
account cb8c3377ba, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
