abstractions/mesa: allow checking if the kernel supports the i915 perf interface
See merge request apparmor/apparmor!464
Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit f56bab3f75)
61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf920929)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/gnome: also allow /etc/xdg/mimeapps.list
See merge request apparmor/apparmor!444
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 3becbbab2c)
67cf4fa3 abstractions/gnome: also allow /etc/xdg/mimeapps.list
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit 1cfd4d4bbc)
ee7194a7 Allow /usr/etc/ in abstractions/authentication
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c284)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
(cherry picked from commit b017f8f8a9)
001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage
Fix a Python 3.8 autoconf check
See merge request apparmor/apparmor!430
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
Acked-by: Steve Beattie <steve@nxnw.org> for master and 2.13
(cherry picked from commit 3db14e8e49)
ccbf1e0b Fix a Python 3.8 autoconf check
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
(cherry picked from commit c5968c70d0)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/420
Signed-off-by: John Johansen <john.johansen@canonical.com>
Bug-Debian: https://bugs.debian.org/935058
Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.
(cherry picked from commit c006f79141)
MR: https://gitlab.com/apparmor/apparmor/merge_requests/419
Bug-Debian: https://bugs.debian.org/935058
Signed-off-by: John Johansen <john.johansen@canonical.com>
Correct the long option used to print the cache directory.
Fixes: e9d9395f91 ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit 50e34b45c2)
Ref: https://gitlab.com/apparmor/apparmor/merge_requests/406
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com> for 2.10..master
(cherry picked from commit db1f391844)
8f74ac02 Fix crash on unbalanced parenthesis in filename
When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.
Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: https://gitlab.com/apparmor/apparmor/issues/41
(cherry picked from commit 654d96a3f7)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
PR: https://gitlab.com/apparmor/apparmor/merge_requests/395
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0349cf2d0a)
[2.10..2.13] Add for Certbot on openSUSE Leap
See merge request apparmor/apparmor!398
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
The default path is /etc/certbot/archive/{some domain}/{file name}.pem
See merge request apparmor/apparmor!397
This is a manual cherry-pick of 4d275bab69
and 3016ffb336
[2.13] parser: allow using a custom sbin & usr/sbin dir
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf)
Cherry-pick requested in https://gitlab.com/apparmor/apparmor/issues/38
See merge request apparmor/apparmor!393
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.
We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: https://gitlab.com/apparmor/apparmor/merge_requests/396
(cherry picked from commit 7c7a4bc531)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf)
Found this path is used by gtk_compose_hash_get_cache_path() in
gtkcomposetable.c.
(cherry picked from commit 6da7ed2a78)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This addresses https://launchpad.net/bugs/1575438 and also the case of
applications accessing the socket directly (due to NSS config).
(cherry picked from commit ac1d0545f4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
(cherry picked from commit f2e0fdc72b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When dc010bc034 was
backported to the apparmor-2.13 branch (in commit
75236d62e2), it did not take into
account cb8c3377ba, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Omnibus collection of translations updates.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from merge commit 3ee468864d
plus following translation fix.)
The translated action character for Deny conflicted with the
untranslated action character for Finish in the Swedish translation.
Remote it, and hope for more action translations.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 03c08cf989)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9d226f5887)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 01656486ef)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 90a4b301bd)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 3b1c320cfc)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5a62c68743)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 78c09e4337)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2c614d4413)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
