aa-unconfined can fault if it looses the race between checkking if
proc/*/attr/{apparmor/,}current exists, and actually opening the file.
Catch open/file errors and ignore them like the file doesn't exist.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/355
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current attachment works from the commandline but not from
gnome as it uses an alternate path.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/368
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow notification filtering of the fields profile, operation, name,
denied_mask, net_family and net_socket using regex. Both command line
and config options in notify.conf are available.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1154
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Allow notification filtering of the fields profile, operation, name,
denied_mask, net_family and net_socket using regex. Both command line
and config options in notify.conf are available.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https://bugs.launchpad.net/bugs/1939022
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1152
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https://bugs.launchpad.net/bugs/1939022
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Failures on regex and exec are related to /usr/bin and /bin merge.
The userns failure is related to the addition of the unprivileged_userns
profile and the kernel ability to transition to it when an unconfined
unprivileged user namespace is created.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1146
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The help message from aa-status referenced -h filter when it should
have been -h filters. Also added some whitespaces for consistency.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1151
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The short form of the help parameter was not accepting an optional
argument as described in the help message. Update the help message to
remove the extra whitespace in between -h and the options since
getopt(1) says that
"If the option has an optional argument, it must be written directly
after the option character if present."
even though that's not described in getopt(3).
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The help message from aa-status referenced -h filter when it should
have been -h filters. Also added some whitespaces for consistency.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
element-desktop needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123!1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
!1109
is merged.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1150
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Some openssl distributions use version specific engdef and engines paths
to support multi-version installations.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571
Signed-off-by: David Disseldorp <ddiss@suse.de>
These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
There is a kernel feature, available under
namespaces/userns_create/pciu&, that enables the transition of
unconfined tasks to a special profile called unprivileged_userns when
they try to create an unprivileged user namespace with
clone/unshare. This transition allows the creation of the unprivileged
user namespace but hinders its privileges by not allowing
capabilities. Refer to the unprivileged_userns profile to check what
rules are allowed.
If either the feature is not present in the kernel, or the
unprivileged_userns profile is not loaded, then the defined behavior
is to deny the creation of the unprivileged user namespace
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Some of the tests are failing because of /usr/bin/true vs /bin/true.
Similarly to what was done in 8c09b328, to make the tests more
reliable, copy the true binary to $tmpdir and use this path on the
tests instead.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Keybase needs to use user namespaces, hence it needs an unconfined
profile when user namespaces are restricted from unconfined like other
applications in MR #1123https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify keybase
instead of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Unprivileged user namespace creation is allowed an will result in a
transition into the unprivileged_userns profile. The
unprivileged_userns profile with then deny all capabilities within the
profile. Execution of applications is allowed within the
unprivileged_userns profile but, they will result in a stack with the
unprivileged_userns profile, that is to say the unprivileged_userns
profile can not be dropped (capabilities can not be gained).
If the unprivileged_userns profile does not exist, unprivileged user
namespace creation is denied as before.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
These are profiles for applications that create user namespaces, both
the actual policy and unconfined profiles, like it was done in MR
1123.
https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify these
applications instead of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Add missing change_profile entry required for the example
Signed-off-by: Mostafa Emami <mustafaemami@gmail.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1141
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
/proc/$pid/cmdline can be changed by an application, therefore escape it
before printing.
The program name in /proc/$pid/exe can also contain any characters
(except \0 and shashes) and needs escaping.
Note: repr() wraps the string into single quotes, which we have to
remove to avoid changing the output format.
The test program from issue 364 now gets displayed as
28443 /path/to/issue364 (/\x1b]0;X\x07) not confined
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364
I propose this patch for 2.13..master
Closes#364
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1142
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The call aa_getpeercon() can return ENOPROTOOPT error in some cases, specifically when the kernel lacks 'fine grained unix mediation'. Currently, this capability isn't available in upstream kernels, but only in patched ones (for example, the regular Ubuntu kernels). Unfortunately, the manpage lacks this info. This patch fixes this.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/366
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1143
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
/proc/$pid/cmdline can be changed by an application, therefore escape it
before printing.
The program name in /proc/$pid/exe can also contain any characters
(except \0 and shashes) and needs escaping.
Note: repr() wraps the string into single quotes, which we have to
remove to avoid changing the output format.
The test program from issue 364 now gets displayed as
28443 /path/to/issue364 (/\x1b]0;X\x07) not confined
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364
There are some tests like attach_disconnected and posix_mq that can
have a program that calls another. For example, posix_mq_rcv calls
posix_mq_snd. Both of them write to the same output file, but the code
that checks the result expects only one line. This change enables
checking multiple lines in the output file and passing or failing
accordingly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1140
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
There are some tests like attach_disconnected and posix_mq that can
have a program that calls another. For example, posix_mq_rcv calls
posix_mq_snd. Both of them write to the same output file, but the code
that checks the result expects only one line. This change enables
checking multiple lines in the output file and passing or failing
accordingly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The move_mount tests were returning -1 in case of failure causing it
to become 255 in some systems, but checktestbg in the testsuite
considers any return value greater than 128 to be a signal error.
That would cause tests that should fail to display the following test
error:
... was expected to 'fail'. Reason for failure 'killed by
signal 127'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1139
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
The move_mount tests were returning -1 in case of failure causing it
to become 255 in some systems, but checktestbg in the testsuite
considers any return value greater than 128 to be a signal error.
That would cause tests that should fail to display the following test
error:
... was expected to 'fail'. Reason for failure 'killed by
signal 127'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.
(When the tools support nested child profiles one day, we can even allow
child exec again.)
[This MR is for master only. I opened separate MRs for 3.1 and 3.0]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1133
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
the stacking tests need to be able to read and write the new apparmor
dir in proc, if that interface has been selected. Update the tests to
make sure they have the permissions needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1136
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
the stacking tests need to be able to read and write the new apparmor
dir in proc, if that interface has been selected. Update the tests to
make sure they have the permissions needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.
(When the tools support nested child profiles one day, we can even allow
child exec again.)
Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1109
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
