drop deprecated perl code
* drop repair_obsolete_profiles (updated profiles for abstraction renames pre-2006)
* drop ancient perl aa-* tools and their modules (rewritten to python in 2.9)
* drop rc.aaeventd.{redhat,suse} initscripts (aaeventd was dropped long ago, therefore we don't need to keep its initscripts)
See merge request apparmor/apparmor!423
Acked-by: John Johansen <john.johansen@canonical.com>
Applications running under Xwayland in a GNOME+Wayland session need read access to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could argue that it should live in abstractions/wayland instead, but Jamie argued that it should be in the X abstraction because Xwayland is a X server.
MR: https://gitlab.com/apparmor/apparmor/merge_requests/419
Bug-Debian: https://bugs.debian.org/935058
Acked-by: John Johansen <john.johansen@canonical.com>
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
Bug-Debian: https://bugs.debian.org/935058
Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.
Requires NPAPI which no major browsers support anymore:
Mozplugger
npviewer / nspluginwrapper
The following have been discontinued
Google Talk (and plugin)
f-spot
conkeror
galeon
Mozilla Prism
rekonq
Adobe Reader for Linux
Other
gnome-codec-install is not in Ubuntu anymore
gstreamer0.10 was replaced by 1.0
With the effort to remove perl, it makes no sense to keep the depracted
perl code around for new releases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa-status crashed if a profile name contains an opening parenthesis
because the regex enforces (simplified) '^[^(]* \(.*\)' when reading
/sys/kernel/security/apparmor/profiles
This obviously doesn't match if a profile name contains '(' which is
rare and strange, but still allowed, and the match result "None" then
crashes aa-status.
Adjust the regex to allow all chars instead of all except '(' to handle
these corner cases.
Note that '(enforce)' and '(complain)' still get read correctly because
the regex ends with '\((\w+)\)$' and therefore enforces matching
"something inside parenthesis at the end of the line".
This bug exists since aa-status was rewritten into python, and even
existed in the perl version before. However, in the perl version, the
regex matching was protected with an if so profile names with '(' were
skipped and hidden from the aa-status output.
Fixes: https://gitlab.com/apparmor/apparmor/issues/51
When a filesystem is mounted with the option *user*, the file selection
dialogue, e.g. in *Evince*, triggers an access of */run/mount/utab*, which
comes from *libmount* and should be allowed.
Winbind requires access to /var/cache/samba/msg.lock/*.
Move msg.lock/ to abstractions/samba.
On Arch Linux Winbind's pid is set to /run/winbindd.pid.
Signed-off-by: nl6720 <nl6720@gmail.com>
As discussed in https://gitlab.com/apparmor/apparmor/merge_requests/395
RE_LOG_ALL should be more broad so that it doesn't accidently
overlook/ignore valid log events.
Instead of adding more and more known log formats to logparser.py,
simplify the regex to do only a basic check.
If we really hand over a line to libapparmor that isn't an AppArmor log
event, worst thing that can happen is that we waste a few milliseconds
for handing over that line to libapparmor, and get AA_RECORD_INVALID as a
result.
Some applications queries network configuration (using
QNetworkConfigurationManager class in Qt and similar), and that produces
DBus denials under AppArmor confinement when NetworkManager backend is
used.
Add abstraction that allows most common read-only DBus queries for
getting current network configuration from NetworkManager backend.
logparser.py: don't error out on exec events without target
See merge request apparmor/apparmor!405
Acked-by: John Johansen <john.johansen@canonical.com>
tests: Allow aa_policy_cache.c to build against old libapparmors
See merge request apparmor/apparmor!407
Acked-by: John Johansen <john.johansen@canonical.com>
Improve readability by being explicit about the value to use when the
conditional evaluates to true.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: John Johansen <john.johansen@canonical.com>
Commit ad81ea0e67 ("tests: Add option to dump policy cache dir with
the libapparmor wrapper") modified aa_policy_cache.c to call
aa_policy_cache_dir_path_preview(). That added a hard dependency on
libapparmor >= 2.13, which is the first version to add
policy_cache_dir_path_preview() to libapparmor. The dependency makes it
impossible to build and run the upstream regression tests against an
installed libapparmor older than 2.13 due to aa_policy_cache.c failing
to build.
Add a compatible aa_policy_cache_dir_path_preview() when building
aa_policy_cache.c against a libapparmor older than 2.13 and newer than
or equal to 2.10.
Fixes: ad81ea0e67 ("tests: Add option to dump policy cache dir with the libapparmor wrapper")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Correct the long option used to print the cache directory.
Fixes: e9d9395f91 ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Test the profile transition limits imposed by NO_NEW_PRIVS to ensure
that behavior doesn't unexpectedly change.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
commit 7297e2f6a8 assumed that exec events
always have a "target=...", but this is only true for events in complain
mode. In enforce mode, the log line doesn't include "target=...".
This commits sets an empty target instead of erroring out on every exec
event in enforce mode.
Also adjust ask_exec() in aa.py to only update
hashlog[aamode][target_profile]['final_name'] if target_profile is set
(hashlog[aamode][''] doesn't exist and trying to write to it would error
out)
- in complain mode, exec events include target=...
- in enforce mode, the log message doesn't include target=...
Note that the utils tests skip exec events (they'd be interactive),
therefore exec*.profile doesn't contain an exec rule.
When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.
Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: https://gitlab.com/apparmor/apparmor/issues/41
convert_regexp() needs to escape '(' and ')' in filenames taken from a
logfile to get rid of their special meaning, and to avoid a crash on
unbalanced parenthesis (which makes the regex invalid if they are not
escaped).
Note: The added tests include an example log line, but the tests itsself
don't/didn't trigger the crash because they don't call convert_regexp().
Fixes: https://bugs.launchpad.net/bugs/1835311
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add for Certbot on openSUSE Leap
The default path is `/etc/certbot/archive/{some domain}/{file name}.pem`
See merge request apparmor/apparmor!397
Acked-by: Christian Boltz <apparmor@cboltz.de>
The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.
We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: https://gitlab.com/apparmor/apparmor/merge_requests/396
Instead of setting SFS_MOUNTPOINT in is_apparmor_loaded() (which is
called in most cases) and in is_container_with_internal_policy() (which
covers/fixes the remaining cases), set it globally.
This also fixes a bug in is_container_with_internal_policy() (introduced
in f10e72a14f) where the variable
definition tried to use the no longer existing $MODULE variable and
therefore got a wrong path for $SFS_MOUNTPOINT.
Besides this bug, there's a minor behaviour change / improvement if
securityfs isn't mounted - "file not found" error messages will now
contain the full/correct path ;-)
This change/cleanup is a follow-up of
https://gitlab.com/apparmor/apparmor/merge_requests/363 and some IRC
discussions 2019-04-16.
