The getpeercon functions need to parse the mode from the confinement
string. This patch creates a function that aa_getpeercon_raw() and
aa_getprocattr_raw() can both use.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Return the total size of the security context on success
as documented.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Protect against bugs in AppArmor's getsockopt() LSM hook from sending
aa_getpeercon() into an infinite loop.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
file is larger than the feature buffer used for cache version comparison.
Ideally this would be dynamically allocated but for 2.8 just bumping the
buffer size is the quick fix.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
1) make sure that the xpra socket exists before trying to attach to it
2) make sure that the client has attached before we start the application
The fix for '1' solves a problem when the system is under load and the
one for '2' fixes a problem with firefox starting too soon and not
having system themes applied.
Exercising the 1 week rule. Seth Arnold commented on the added sleeps and I
adjusted one based on his comments and replied to the list that the other is
needed and that this improves the sandbox/xpra code but that there are
limitations with driving xpra.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Author: Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com>
Modifiy the libapparmor macro for python to use python-config if it
exists to determine what CPPFLAGS and LDFLAGS to use when building
the python swig libraries. Without this addition, python detection
fails on ubuntu 13.04. I've confirmed that with this patch applied,
the python libraries still build successfully on older releases as well
(as far back as ubuntu 11.10).
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Kees Cook <kees@ubuntu.com>
messages neglected to include the empty .err files in the testsute
directory, resulting in ERROR output. These files were included in the
patch submitted to the mail list. This commit adds them.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
= How it works =
There are basically two modes:
1. using an existing profile with --profile
2. dynamically generating a profile
For '1', aa-sandbox is just a wrapper around aa-exec.
For '2', aa-sandbox leverages easyprof and allows you to specify policy
in a limited way on the command line. It then loads the policy into the
kernel as a profile (ie, 'profile <foo> { ... }') so it doesn't get in
the way of existing profiles. It currently calls apparmor_parser via
sudo or pkexec. Once the profile is loaded, aa-exec the application
under the profile.
When -X is specified, the application is launched inside its own X
server using either xpra (the default, which uses Xvfb), xephyr and
xpra3d (xpra, but using Xorg with the xdummy[1] driver for now[2].
xpra3d doesn't currently perform well, but works ok with newer Gnome
applications that now require GLX). When using '-X', it:
- adds an explicit deny rule for ~/.Xauthority
- generates a dynamic Xauthority file for the session in
~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds an allow rule for ~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds checks for xhost being properly setup
- honors the --with-xauthority option which can be used with --profile
With the above, the :0.0 display should no longer be accessible. Eg:
$ ./aa-sandbox -t ~/sandbox-xterm -X /usr/bin/xterm
$ XAUTHORITY=~/.Xauthority DISPLAY=:0.0 xinput
No protocol specified
Unable to connect to X server
This requires a specifically configured xauth/xhost setup, which is less common
on modern distributions. The man page details how to get this setup.
= Trying it out =
Apply the patch, then:
$ cd ./utils
# cli
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates --read-path=/proc/ /usr/bin/uptime
# 2d only
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/gedit
# 2d alternate (xephyr)
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/gedit
# 3d
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/glxgears
# With an existing profile:
$ ./aa-sandbox --profile=/usr/bin/evolution -X --with-xserver=xpra3d /usr/bin/evolution
= The Patch =
The patch itself is pretty self contained:
utils/aa-easyprof:
- adjusted to import optparse
utils/easyprof/templates/sandbox*
- add two new templates to easyprof
utils/apparmor/easyprof.py:
- use 'profile <foo>' if '<foo>' is not an absolute path
- adjust parser handling so we can reuse it
utils/aa-sandbox:
- small script to drive utils/apparmor/sandbox.py
utils/apparmor/common.py:
- the start of our python library. aa-easyprof would eventually use
this (along with the various rewrites), but for now, only the
sandboxing uses it.
utils/apparmor/sandbox.py:
- the sandboxing code itself. Of particular note is the use of classing
to support different X servers
utils/aa-sandbox.pod:
- the corresponding man page
= Improvements =
* don't use sudo
* make pulseaudio in xpra opt-in (currently it is off)
* take advantage of upstream's 3D patches when they stabilize
* investigate how applications can work with the Unity global menu
* surely lots more
[1]http://xpra.org/Xdummy.html
[2]http://xpra.org/trac/ticket/147
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The libimmunix library is a historical artifact and has generated a
deprecation warning when used to syslog for over 4 years. This patch
removes it entirely from the libapparmor tree.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
time formats.
currently the only supported format is
<Month> ## hh:mm:ss
extend this to
<Month> ## hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-dd hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-ddThh:mm:ss(.ms)?((+|-)timezone)?
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
target in the profiles Makefile, for future archaeological spelunking.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup patch will
convert these to use @{pid} from the kernelvars tunable.)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Author: Jamie Strandboge <jamie@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes
This is a very slightly updated version of the skype profile
update that Jamie Strandboge submitted, but did not get a review.
The only addition over the previously submitted version is rw access
to @{HOME}/.config/Skype/Skype.conf.
(This commit incorporates the additional @{HOME}/.kde4 change proposed
by Christian Boltz <apparmor@cboltz.de>)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those includes, and replaces them documentation of
tunables are necessary, as some of the expected ones are not part of
tunables/global.
It also adjust the kernelvars tunable's definition of the @{pid}
regex, as the current parser does not support nesting of {} groupings,
which breaks any profile that attempts to use the tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This patch separates out make check in the profiles/ directory into
two sub targets, for checking profiles against the built parser
and aa-logprof respectively. The logprof check currently makes some
assumptions about the environment that make it difficult to run in
a minimal chroot environment.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
When I corrected the profiles/Makefile to automatically find files to
install, I converted one variable name but missed a later location where
that variable was used, which broke the 'make check' target, because
directories would be handed to the apparmor parser. This patch corrects
that and also makes the VERBOSE flag report each profile name as it's
being handed to the parser.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
was addressed (however temporarily) in commit 2085.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
fix a nasty little bug that can surface in apparmor 2.8 when
Hats/children profiles are used.
the matchflags in the dfa backend are not getting properly reset, which
results in a previously processed profiles match flags being used. This is
not a problem for most permissions but can result in x conflict errors.
Note: this should not result in profiles with the wrong x transitions loaded
as it causes compilation to file with an x conflict.
This is a minimal patch targeted at the 2.8 release. As such I have just
updated the delete_ruleset routine to clear the flags as it is already
being properly called for every rule set.
Apparmor 2.9/3.0 will have a different approach where it is not possible
to reuse the flags.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
chance to run before verifying it's current and future confinement
state. In testing the combined sleeps added roughly a second to
onexec.sh's total time on relatively reasonable hardware.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com> (via IRC)
whether or not the filesystem has a fine enough timestamp resolution.
Occasionally even on filesystems like ext3, the two files' creation
dates would differ when created less than a second apart, which would
typically cause the 'Cache is used when cache is newer' test to fail
because the cached file would have the same timestamp as the profile.
The fix creates 10 files 0.1 seconds apart and ensures that all ten
have distinct timestamps.
(The occasional failure was caught in testing runs like
https://bugs.launchpad.net/qa-regression-testing/+bug/1087061/ )
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
chance to run before verifying it's current and future confinement
state. In testing the combined sleeps added roughly a second to
onexec.sh's total time on relatively reasonable hardware.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com> (via IRC)
