Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/707092
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
[Note that the second half of the OpenSUSE patch had already been applied.]
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-profiles: Fix proc usage in firefox profile
References: bnc#436262
This patch corrects the use of the {proc} macro. It should be {PROC}.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Description: the Ubuntu buildds do not have the AppArmor securityfs mounted, so
the cache tests fail. This patch skips these tests if the introspection
directory is not mounted, but runs them if it is. This should allow testing of
local builds while still allowing builds on the official buildds.
Acked-By: Steve Beattie <sbeattie@ubuntu.com> - both Ubuntu and
OpenSUSE were carrying patches that disabled the caching test,
though OpenSUSE's disabled it completely rather than checking. The
parser builds need to complete even when the kernel it's building on
doesn't support AppArmor or all the extensions that the parser needs
at runtime.
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder <isis.binder@gmail.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
license/copyright statement. It should have been covered under both
the Immunix acquisition by Novell Inc and by the open sourcing of
the apparmor tree by Novell Inc.
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
generated makefile as it results in an rpath binding in the library.
Nominated-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This patch fixes a logprof bug where when profiles with variable
declarations at the top level (not hidden in an include) were written
back to a file, a trailing comma was being added to the declaration
statement, which is invalid apparmor policy syntax. This patch corrects
this and no longer adds the trailing comma.
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/706733
not passthrough other invalid characters in variable declarations. It
also adds testcases demonstrating the issue.
Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
an error when variable declaration statements contain trailing commas,
instead of passing them through to STDOUT. It also adds parser
testcases demonstrating the issue.
Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
that fixes the following:
- allow net_admin capability for DHCP server
- allow net_raw and network inet raw for ICMP pings when used as a DHCP server
- allow read and write access to libvirt pid files for dnsmasq
See the FAQ in the dnsmasq source for details. This fixes
https://launchpad.net/bugs/697239
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
frontend for spellcheckers and in use by more and more applications,
including empathy and evolution. It is listed on freedesktop.org. See:
http://www.abisource.com/projects/enchant/
This abstraction gives access to enchant itself, files in the user's
home directory for enchant and various dictionaries for:
- aspell
- ispell
- hunspell
- myspell
- hspell
- zemberek
- voikko
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
likely need more once more ibus users start to use it. Additionally,
the 'rw' on the @{HOME}/.config/ibus/bus/ probably only needs 'create'
and 'chmod', so that could be tightened up once those are exposed in
the tools. LP: #649497.
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- use character globbing
- require owner match for files in @{HOME}
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- fix typo for Desktop (should be Desktop/)
- require owner match
- allow writes to @{HOME}/[dD]ownload{,s}
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
* add Canonical to the headers of the pod files touched
* use aa_change_hat() instead of change_hat() (LP: #692216)
* use http://wiki.apparmor.net in the SEE ALSO
* use http://https://bugs.launchpad.net/apparmor/+filebug for bugs
* prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain'
for 'complain')
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
changehat/mod_apparmor/mod_apparmor.pod: make several clarifications
and add a summary for the order of operations
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Fix use after free in regexp parser
There are two cases of use-after-free in the simply_tree_base code. It
worked in the past because there aren't any allocations between the
free and the use, so it was still around.
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
while parsing certain profiles.
This patch addresses it by saving a pointer to the node to free after
the node is advanced.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition. This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.
The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions. The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.
This would result in the first rule being processed defining what the
transition type was for all following rules of the type following. So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add auto generation of xtransition conflict tests
All the combiniation of xtransition conflics where not well represented in
the regression test suite. Instead of relying on multiple static test
files, automatically generate all possible conflicts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
documentation for the expected outcome and add additional positive test.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
that don't want full docs can pick targets they want. Comment out
debug dump of generate af_names.h.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com>
