Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5a62c68743)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 78c09e4337)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2c614d4413)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit d14723b78c)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit fe2faeb24f)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9650201928)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2b936e25a8)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 02ba8523c6)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 72bcf23c5d)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9f9294b48b)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 41b5fecbcf)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit dc98e8ff55)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit ba3dc9fc85)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 42b43d58d0)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 301857ef5d)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 303deea3a8)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 894c6cd6d2)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit eb38db5953)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5cc8718965)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
The parser currently skips the cache if optimizations are specified
because it can not determine if the cached policy was compiled
with the specified optimization. However this causes cache misses
even if policy is cached with those options, and distros are setting
some optimizations by default.
Instead of skipping reading the cache if optimizations are set, users
can force overwriting the cache if needed, until the parser can
store aditional meta info in the cache.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/385
BugLink: http://bugs.launchpad.net/bugs/1820068
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit f6cd5c01c1)
This is a partial backport of bc36daa264
(without the abstractions/nameservice removal in
usr.lib.dovecot.pop3-login)
Original commmit message:
dovecot: align {pop3,managesieve}-login to imap-login
Those 3 login daemons should have similiar needs and thus similar
profiles. IMAP is likely the most tested one so let's align the
other 2 with it. Unix and TCP sockets rules were added to pop3-login
after the removal of abstractions/nameservice that included them
implicitly.
Signed-off-by: Simon Deziel <simon@sdeziel.info>
[2.12+2.13] make abstractions/postfix-common compatible with latest postfix profiles
See merge request apparmor/apparmor!387
Seth Arnold <seth.arnold@canonical.com>
Even if we don't backport the latest postfix profiles (in extras) to
2.12 and 2.13, making the abstraction compatible with them (by adding
peer=postfix-master rules in addition to the path-based ones) makes
things much easier for people who want to use the latest profiles.
When building with swig 4 we are seeing the error
AttributeError: 'aa_log_record' object has no attribute '__getattr__'
Which forces swig to use modern classes which do not generate __getattr__
methods.
issue: https://gitlab.com/apparmor/apparmor/issues/33
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a6ac6f4cfc)
looping through the first 16 loop devices to find a free device will
fail if those mount devices are taken, and unfortunately there are
now services that use an excessive amount of loop devices causing
the regression test to fail.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/379
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit ab0f2af1da)
[2.11..2.13] handle_children: Fix denying of adding a hat
See merge request apparmor/apparmor!378
Acked-by: John Johansen <john.johansen@canonical.com>
Choosing "Deny" when handle_children() asks about adding a hat should
not add that hat, but it should _not_ leave the function because that
means all the other log events that were not migrated to prelog yet will
be lost.
Change "return" to "continue" to fix this.
Drop 'to' option for link rules from manpage
See merge request apparmor/apparmor!368
Acked-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit 041cd95a98)
115a1d89 Drop 'to' option for link rules from manpage
Add several libapparmor/swig/ruby files to gitignore
See merge request apparmor/apparmor!366
(cherry picked from commit 9c11ce37c6)
7ed1a16a Add several libapparmor/swig/ruby files to gitignore
Fix error 'KeyError: 'logfiles'' when no logprof.conf exists
See merge request apparmor/apparmor!365
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit cece787182)
455c4413 aa.py: Ensure there is always a fallback falue for the logfile location
3c7e1668 aa.py: Indicate permission error if log file is found but cannot be opened
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
(cherry picked from commit 0170e98f9c)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Signed-off-by: John Johansen <john.johansen@canonical.com>
For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:
ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
(cherry picked from commit 5cbb7df95e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
update network keyword list in utils and add test
See merge request apparmor/apparmor!350
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit dc010bc034)
49849ed7 update network keyword list in utils and add test
apparmor.d manpage: update list of network domain keywords
See merge request apparmor/apparmor!349
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 6416ccebf6)
6b276563 apparmor.d manpage: update list of network domain keywords
The calling function and the merge() macro both make use of a variable
named "i" but this causes problems when merging. The aa_policy_cache.sh
test script experiences "bad file descriptor" failures due to the merged
list containing invalid fd values (-1).
Fix this by renaming merge()'s index variables from i and j to y and z
to hopefully prevent future overlap. The better fix here would be to
convert merge() to a function but that's a more intrusive change and I
don't have an easy way to test the overlay feature.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit d7ac07afc4)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
qsort()'s _size_ parameter is used to indicate the size of the elements
in the _base_ array parameter. Adjust the third argument to qsort() to
indicate that we're dealing with an array of struct dirent pointers
rather than an array of struct dirent.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit 8b21871820)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adjust aa_policy_cache.sh to handle the additional layer in the
directory hierarchy when determining where the policy cache binaries are
stored. This is needed due to the multicache changes that allow multiple
policy caches to exist on a single system.
Differentiate between the cache location (the top level directory
containing all caches) and the cache directory (the directory used to
store the cached policies).
Use the libapparmor wrapper to get the cache directory for the given
cache location and the features of the currently running kernel.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit f31457b26e)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Print the policy cache directory path for the features of the currently
running kernel to stdout so that the aa_policy_cache.sh regression test
script can make use of it when writing out binary policy files.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit ad81ea0e67)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
(cherry picked from commit cc09794fbd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Using /usr/{bin,sbin}/dbsmasq as both the profile name and attachment break compatibility with the peer=/usr/sbin/dnsmasq rule, in the libvirtd profile.
Instead specify the profile has the old name of /usr/sbin/dnsmasq and specify the attachment separately. This looks funny but it avoids breaking libvirtd and still provides the broader attachment need by distros that have merged sbin into bin.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
I propose this patch for 2.12 and 2.13. (Older versions didn't get the alternation, master has a profile name added.)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/346
Signed-off-by: John Johansen <john.johansen@canonical.com>
Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in
the libvirtd profile, practise shows that we were wrong.
This patch adds a tricky workaround so that the profile name doesn't
change, but the profile will attach even on distributions with merged
bin and sbin. (Credits for this crazy idea go to John ;-)
It also re-adds the libvirtd peer name /usr/sbin/libvirtd to avoid
breaking libvirtd.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
and the discussion in https://gitlab.com/apparmor/apparmor/merge_requests/346
tunables/share: fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable
See merge request apparmor/apparmor!344
(cherry picked from commit 2ed3763a2f)
cdeb6185 tunables/share: fix buggy syntax that broke the ~/.local/share part of the...
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from commit cb43e57d27)
Conflicts:
parser/parser_main.c
Reason:
commit 48a32b78b1 not backported
