The utils cannot parse some profile constructs yet, so allow some profiles to be ignored in those tests.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1563
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
The utils cannot parse some of the newer profile constructs yet, so
generalize a pre-existing mechanism for skipping profiles to use that mechanism in the other tests that need it
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This is a follow-up of adding the "ignore" option to exec prompts in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1543
To make future handling of hotkey conflicts easier,
- display all hotkey conflicts at once instead of erroring out at the first conflict.
- display all options involved in a hotkey conflict to make fixing it easier.
Since 1543 was picked into 4.1, I propose the same for this MR.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1557
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Similarly to apparmor/apparmor!403, we don't really need to pass these flags
here, but if we don't, blhc raises a false positive, and I don't want to get
used to ignoring blhc failures on Debian's GitLab CI.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1558
Approved-by: Alex Murray <alex.murray@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Ryan Lee <rlee287@yahoo.com>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1559
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similarly to apparmor/apparmor!403, we don't really need to pass these flags
here, but if we don't, blhc raises a false positive, and I don't want to get
used to ignoring blhc failures on Debian's GitLab CI.
These are needed by e.g. AppImages
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1556
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
sbuild is an unconfined profile allowing it to bypass the unprivlieged
user namespace restriction.
unconfined profiles use a pix transition which means that when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calling unshare will cause a transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we cannot just add a x transition rule to unconfined profiles, as
the transitions won't be respected. Instead, we have to make the profile
a default allow profile and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1555
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.
unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a trivial fix for
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1543
instead of waiting longer for the auther to fix, the MR was merged
and this manual fixup done.
Fixes: dfe9d713f ("aa-logprof/aa-genprof: allow ignoring executions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
This manifested with chmod calls failing in autopkgtests of dbus and snapd.
Given the magnitude of regressions that might be caused by bugs in this profile, @alex_murray has suggested disabling the profile by default (i.e. moving it into `extras/`).
Reported-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1553
Approved-by: Alex Murray <alex.murray@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
This manifested with chmod calls failing in autopkgtests of dbus and snapd
Reported-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
```
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
```
Current behavior:
```
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
```
With patch:
```
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
```
I am quite new to the AA code base, so please let me know if I'm missing something obvious and this is intended behavior :)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1551
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The original plan was to have a minimal subset for Perl excluding the stuff requiring language-dependent typemaps, but it turns out that there was only one thing that required that, and it was simple enough to copy over from the SWIG repo itself. This MR contains the single non-language-generic part of the SWIG updates.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1341
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
Current behavior:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
With patch:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
This is the only language-dependent nontrivial portion of the SWIG
bindings, and this should be good enough for anyone who is still using the
Perl bindings now
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
When a test fails because of an unexpected success (XFAIL), do not display the empty error log as that may confuse the reader just as it had confused the author.
In addition, when something legitimately fails then display tail of trace log as that may show some useful information.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1548
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The the `attach_disconnectd` test is now passing on Ubuntu 24.04+.
The `posix_ipc` is passing everywhere.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1547
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This makes no sense since the test has passed and there's nothing to look at in the log.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
We should be using apparmor controlled domains for these files.
Rename the template file from
com.ubuntu.pkexec.aa-notify.policy
to
net.apparmor.pkexec.aa-notify.policy
And update the template file and the install file so that the files
that are generated use net.apparmor instead of com.ubuntu
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#486
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1541
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
We should be using apparmor controlled domains for these files.
Rename the template file from
com.ubuntu.pkexec.aa-notify.policy
to
net.apparmor.pkexec.aa-notify.policy
And update the template file and the install file so that the files
that are generated use net.apparmor instead of com.ubuntu
Signed-off-by: John Johansen <john.johansen@canonical.com>
Follow up from !1544 with the other basic variables.
Variables such as `@{rand6}` and `@{word6}` are very commonly used as they allow us to restrict access from rules such as: `/tmp/*`, `/tmp/??????`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1546
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#486
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1540
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
This PR only adds the digit `@{d}` and integer `@{int}` variables.
It provides two improvements from the use of the `[0-9]*` glob:
- security: the glob means "a digit followed by anything but `/`", whereas `@{int}` means "up to 10 digits"
Next to the
- stability: using glob in path with `x` can expose to path conflict, removing the glob fixed a lot of issues.
These variables are used by a lot of abstractions that could be upstream here from apparmor.d (PR will follow). It is an import from 33681e14f2/apparmor.d/tunables/multiarch.d/system where other similar variables are in use: `@{hex}`, `@{rand}`, `@{word}`, `@{u8}`, `@{u16}`, `@{u64}`, `@{int2}...@{int64}` ...
They also all could be upstreamed here.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1544
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Co-Author: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1539
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1542
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Changes include:
- using `long` instead of `intmax_t` for `pid_t` typemap (32-bit build failure); see commit message for more details
- specifying messages for `static_assert` declarations (required up until C23, was accepted as a compiler extension on the systems I had tested this on previously)
- removing label-followed-by-declaration instance (also a C23 feature supported as extension)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1536
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The documentation was missing information about path sanitization, and
why you shouldn't do a leading @{VAR} on path rules. While the example
doing this was fixed, actual information about why you shouldn't do
this was missing.
Document how apparmor will collapse consecutive / characters into a
single character for paths, except when this occurs at the start of
the path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1532
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
