- drop out dated maintenance comment
- cleanup profile name rules, and fix a few broken references
- /usr/lib -> /{usr,}/lib
- lib -> lib{,32,64}
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/611
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
Host files accessed by tcp_wrapper can reference other files, from man
5 hosts.allow
```
A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
```
This means adding a file to hosts requires updating multiple profiles
Add a hosts abstraction so users only have to modify a single location.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Ubuntu is dropping their chromium-browser profile because
chromium-browser has been made a snap on ubuntu. Suck in the profile
upstream as a reference profile for those who want to confine
chromium outside of a snap, and update its includes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/606
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
* fix profile name in signal and change_profile rule
* php-fpm profile: adjust /run paths
Thanks to Darix for pointing out that openSUSE now uses /run/php-fpm/
Also switch to using @{run}.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/601
Acked-by: John Johansen <john.johansen@canonical.com>
Fix /usr/lib/postfix binary paths in postfix+dovecot profiles
See merge request apparmor/apparmor!602
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
Provide example rules in parser.conf to pin pre 3.0 policy and
appropriate abi files.
abis for vanilla upstream kernels and outoftree network patched
kernels are provided. With both ABIs dropping v8 support from
advertised by the kernel as 2.x policy/userspace did not support it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/598
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adapted from https://nordisch.org/posts/php-fpm-apparmor/, port the
nextcloud-independent portion of the php-fpm worker abstractions and
php-fpm isolation for more general usage.
Signed-off-by: Antonio Russo <antonio.e.russo@gmail.com>
The fixes that landed for #98 are incomplete: they only added a check to
ensure that the parser is built, and not libapparmor as well, and also
didn't adjust the invocation of aa-logprof to actually make use of the
built libapparmor or its swig python library.
Furthermore, neither it nor the tests in utils/ add the location of the
swig libapparmor C library to the library search path, meaning that if
the system one does not exist, it will not be found and the test will
fail.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The commit c8b6d8b393 ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
When running the 'check-logprof' test using tools in the tree,
libapparmor needs to have been built for the python utilities to work.
Add a check for its existence to the test-dependencies target.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The "local" make target does not depend on the parser having been
built. Create a separate "test-dependencies" target and have the tests
that need them depend on that and the "local" target, when validating
the profile set against the apparmor tools.
Fixes: c8b6d8b393
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The authentication, base and nameservice abstraction used /{usr/,}etc/
in several rules. Switch that to the more readable (and tunable)
@{etc_ro} variable.
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Mikhail Morfikov has discovered [0] that some font packages in Debian
ships font files in /usr/bin/fonts-foo-bar (like
/usr/share/fonts-font-awesome/ for example). This produces denials for
GUI applications.
Update fonts abstraction to allow reading /usr/bin/fonts-* directories.
Also, refactor abstraction to aggregate two old rules into one.
Closes#94
[0] https://gitlab.com/apparmor/apparmor/-/issues/94
* allow reading my.cnf in dovecot-dict profile (seen with the mail users in a mysql database)
* allow /proc/\*/attr/current in dovecot imap and lmtp (needed when using the "apparmor" plugin which means dovecot switches to user-specific hats)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/566
Acked-by: John Johansen <john.johansen@canonical.com>
Merge branch 'antnesterov/apparmor-fix-dhclient-profile'
@smb: converted read permission to /etc/openssl.cnf to use the openssl
abstraction instead.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/570
This fixes lots of warnings like
```
*** Checking abstractions from ./apparmor.d/abstractions against apparmor_parser
Warning from stdin (stdin line 1): ../parser/apparmor_parser: File 'stdin' missing feature abi, falling back to default policy feature abi
Warning from stdin ([...]/profiles/./apparmor.d/abstractions/apparmor_api/change_profile line 9): ../parser/apparmor_parser: [...]/profiles/./apparmor.d/abstractions/apparmor_api/change_profile features abi 'abi/3.0' differes from policy declared feature abi, using the features abi declared in policy
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/554
Acked-by: John Johansen <john.johansen@canonical.com>
This fixes lots of warnings like
```
*** Checking abstractions from ./apparmor.d/abstractions against apparmor_parser
Warning from stdin (stdin line 1): ../parser/apparmor_parser: File 'stdin' missing feature abi, falling back to default policy feature abi
Warning from stdin ([...]/profiles/./apparmor.d/abstractions/apparmor_api/change_profile line 9): ../parser/apparmor_parser: [...]/profiles/./apparmor.d/abstractions/apparmor_api/change_profile features abi 'abi/3.0' differes from policy declared feature abi, using the features abi declared in policy
```
Tag profiles and abstractions with abi information.
Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.
We do not currently tag the tunables because variable declarations
are not currently affected by abi.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
At least on Debian, when DNSSEC validation is enabled, dnsmasq needs to read
/usr/share/dnsmasq-base/trust-anchors.conf
Bug-Debian: https://bugs.debian.org/934869
Move suggested bug reporting from launchpad to gitlab
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
