Add the ability to control whether rule merging is done.
TODO: in the furture cleanup display of flags split accross two tables
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for more flags (not all of the backend dfa based),
rework the optimization and dump flag handling which has been exclusively
around the dfa up to this point.
- split dfa control and dump flags into separate fields. This gives more
room for new flags in the existing DFA set
- rename DFA_DUMP, and DFA_CONTROL to CONTROL_DFA and DUMP_DFA as
this will provide more uniform naming for none dfa flags
- group dump and control flags into a structure so they can be passed
together.
Signed-off-by: John Johansen <john.johansen@canonical.com>
this is reuired because af_rule merging does not take into account
the potential af_unix addresses and could incorrectly merge af_unix
rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently only file rules get merged. Finish adding basic support
for rule merging and make the default the behavior to dedup
merge rules that are exact matches.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When kernel lockdown is enabled the ioperm and iopl tests will fail regardless
since lockdown prevents these syscalls before AppArmor has a chance to mediate
them. So workaround this by detecting when lockdown is enabled and expect the
tests to fail in that case.
Fixes issue #226.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Closes#226
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1063
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When kernel lockdown is enabled the ioperm and iopl tests will fail regardless
since lockdown prevents these syscalls before AppArmor has a chance to mediate
them. So workaround this by detecting when lockdown is enabled and expect the
tests to fail in that case.
Fixes issue #226.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
I have a number of updates for the Firefox profile, based on monitoring AppArmor logs in the course of my own usage.
I'm going to try annotating the diff with the appropriate log messages, to see if that is a useful way of documenting the changes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1055
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Apologies for the second push; this change is made with the understanding that the abstraction is not intended to be solely read-only.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1059
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Dir "d" is not closed when asprintf fails.
Found by coverity: CID 321416: Resource leaks (RESOURCE_LEAK)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1058
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Dir "d" is not closed when asprintf fails.
Found by coverity: CID 321416: Resource leaks (RESOURCE_LEAK)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The check isn't correct, it should be checking for capability
MAC_ADMIN, but in the future that won't be correct either. Instead
rely on the kernel to check permission to load policy, which it alread
does as it is possible to by-pass the parser to load policy.
Also improve the error message when the kernel does deny
loading policy due to failed permission checks.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1044
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>
The check isn't correct, it should be checking for capability
MAC_ADMIN, but in the future that won't be correct either. Instead
rely on the kernel to check permission to load policy, which it alread
does as it is possible to by-pass the parser to load policy.
Also improve the error message when the kernel does deny
loading policy due to failed permission checks.
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa-load is a tool that loads cached (compiled) policies into
the kernel. It can receive as argument a file, a cache directory
containing the hash subtree, and a directory containing cached
files directly underneath - no hash.
This tool can be used in the as a guide for other init
systems to load the cached policies directly.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/770
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This Fixes coverity CID 254463: Memory - illegal accesses (USE_AFTER_FREE)
which was introduced in 35e58273 / https://gitlab.com/apparmor/apparmor/-/merge_requests/713 (merged)
The coverity report it self is wrong because while the pointer use is
after free. It is deliberately a pointer comparison to see if the
value was pointing to proc_attr_base_old. This is not actually
problematic as far as it goes. However it does surface a bug in the
logic, and regardless if it is allowed doing a post-free pointer
comparison like this will confuse static checkers and humans alike.
procattr_path() will never return proc_attr_base_old, it will return a
copy of it (if it did return it, we couldn't free it). So the test tmp
!= proc_attr_base_old is bad, in that it will always be true even if
tmp was a copy of proc_attr_base_old.
Fix this by makint tmp auto free, and switching to a string comparison.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1042
Aked-by: time-out
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like
mount slave /snap/bin/** -> /**,
mount /snap/bin/** -> /**,
would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.
1. If kernel mount flags were present on the rule. The error would
be caught causing an error to be returned, causing profile compilation
to fail.
2. If the rule did not contain explicit flags then rule would generate
change_mount_type permissions based on souly the mount point. And
the implied set of flags. However this is incorrect as it should
not generate change_mount permissions for this type of rule. Not
only does it ignore the source/device type condition but it
generates permissions that were never intended.
When used in combination with a deny prefix this overly broad
rule can result in almost all mount rules being denied, as the
denial takes priority over the allow mount rules.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... to avoid returning it uninitialized.
Found by coverity: CID 320935: Uninitialized variables (UNINIT)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1053
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This Fixes coverity CID 254463: Memory - illegal accesses (USE_AFTER_FREE)
which was introduced in 35e58273 / https://gitlab.com/apparmor/apparmor/-/merge_requests/713 (merged)
The coverity report it self is wrong because while the pointer use is
after free. It is deliberately a pointer comparison to see if the
value was pointing to proc_attr_base_old. This is not actually
problematic as far as it goes. However it does surface a bug in the
logic, and regardless if it is allowed doing a post-free pointer
comparison like this will confuse static checkers and humans alike.
procattr_path() will never return proc_attr_base_old, it will return a
copy of it (if it did return it, we couldn't free it). So the test tmp
!= proc_attr_base_old is bad, in that it will always be true even if
tmp was a copy of proc_attr_base_old.
Fix this by makint tmp auto free, and switching to a string comparison.
Signed-off-by: John Johansen <john.johansen@canonical.com>
... so that each change in master gets scanned (until we reach the scan
limit).
This will give us more timely results than only scanning the coverity
branch whenever someone manually updates it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1052
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Christian Boltz <apparmor@cboltz.de>
... so that each change in master gets scanned (until we reach the scan
limit).
This will give us more timely results than only scanning the coverity
branch whenever someone manually updates it.
I have been testing the `usr.sbin.sshd` profile with the [three "for internal-sftp" rules](ad3750058d/profiles/apparmor/profiles/extras/usr.sbin.sshd (L138-140)) commented out, as they are quite broad. This has turned up a few oversights, a couple of which have been fixed in abstractions. This MR brings in the missing rules that don't currently seem to have a better place to go, and addresses a couple of other minor issues in the profile.
Here are the associated syslog messages:
```
Jun 8 21:09:11 testvm kernel: [ 28.211637] audit: type=1400 audit(1686272951.369:66): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/sshd" name="/run/systemd/notify" pid=830 comm="sshd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jun 9 00:27:24 testvm kernel: [10846.886139] audit: type=1400 audit(1686284844.516:1268): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/sshd" name="/home/username/.cache/" pid=5815 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jun 9 00:28:57 testvm kernel: [10940.152625] audit: type=1400 audit(1686284937.780:1337): apparmor="DENIED" operation="mknod" profile="/usr/sbin/sshd" name="/home/username/.cache/motd.legal-displayed" pid=5979 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1051
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun 8 21:09:38 testvm kernel: [ 54.847014] audit: type=1400 audit(1686272978.009:68): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=1035 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
Not sure what glibc/system call uses this, but it seems pretty broadly applicable, and read access is presumably harmless. [THP reference](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1050
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.
type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Closes#333
Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>
Closes#333
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This brings in numerous improvements from the Firefox AppArmor profile that Ubuntu ships in 20.04/focal. The raw profile may be viewed [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox-trunk.head/view/head:/debian/usr.bin.firefox.apparmor.14.10) (or alternately [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10)).
To review, you may not only want to compare this new version against HEAD, but also against the Ubuntu profile, which has a smaller diff. I suggest preprocessing the latter with the following to reduce extraneous diffs:
```
sed 's,@{PROC}/\[0-9\]\*/,@{PROC}/@{pid}/,g; s,/@{pid}/task/\[0-9\]\*/,/@{pid}/task/@{tid}/,g; s/#\(include\)/\1/'
```
I've made a few minor edits along the way, such as using AppArmor variables instead of preprocessing directives (like `@MOZ_LIBDIR@`) that are substituted in the Firefox package build. Any feature/stylistic downgrades in the Ubuntu profile should have been filtered out.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1043
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.
This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.
The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).
Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025
It should be backported to versions 2.13, 3.0, 3.1.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.
This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.
The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).
Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.
type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Closes#333
Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening
audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0
This MR should be cherry-picked into 2.13, 3.0, 3.1
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening
audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
