With %option nodefault, the parser now errors out as expected, even if
the error message isn't too helpful.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de> Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 7d062917aa)
... (using `%option nodefault`) instead of echoing the unknown parts to
stdout, and ignoring the error.
This will cause the parser to error out with
flex scanner jammed
and $?=2 if a profile contains unknown/invalid parts. That's not really
a helpful error message, but still better than ignoring errors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit c01ed1d57b)
Seen on openSUSE Tumbleweed with the mail users in a mysql database.
(cherry picked from commit f7ab91f423)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed when using the "apparmor" plugin which means dovecot
switches to user-specific hats.
Seen on openSUSE Tumbleweed.
(backported from commit 6a388859f8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When a filesystem is mounted with the option *user*, the file selection
dialogue, e.g. in *Evince*, triggers an access of */run/mount/utab*, which
comes from *libmount* and should be allowed.
Reported-by: JrgSommer[m] in #apparmor
(cherry picked from commit cd3532f792)
Signed-off-by: John Johansen <john.johansen@canonical.com>
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
(cherry picked from commit 373e8e23b1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.12+2.13] collapse_log(): avoid accidently initializing aa[profile]
See merge request apparmor/apparmor!539
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
... or calling is_known_rule() on events for non-existing hats.
It's the usual hasher() "fun" again - accessing a non-existing element
will create its parent.
In theory this commit might be worth a backport. In practise, it doesn't cause
any visible problem.
However, starting with the next commit, it will cause lots of test errors.
Also add a missing is_known_rule() call for dbus rules, which might have
caused similar hasher() "fun".
(Backported from 9f1b2f4014)
apparmor.vim: allow leading whitespace for alias rules
See merge request apparmor/apparmor!527
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit ae70ecfbaa)
c636580f apparmor.vim: allow leading whitespace for alias rules
less shell ;-)
See merge request apparmor/apparmor!520
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6b55794074)
48bae9e3 less shell ;-)
[2.11..2.13] Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!516
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.12 and 2.13
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
(cherry picked from commit 68a258b006)
(cherry picked from commit cb95e9a2568b19e2e7601c0af363e0605a6889d9)
UI_ShowFile() is more generic and can be used to display various (text)
files, not only diffs.
(cherry picked from commit bb3803b931,
adjusted for 2.13 branch)
apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit a4864146e2)
efa7c6d6 apparmor.vim: support 'include if exists'
Privacy statement
See merge request apparmor/apparmor!441
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 4281b58c89)
bfde89a6 infrastructure: Add privacy statement to the README
This series adds a couple of patches to make the software more crosscompilation friendly. They are based on the work I'm doing to fix the package on buildroot
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/485
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9ba2334423)
Signed-off-by: John Johansen <john.johansen@canonical.com>
egrep: bad regex '^/.[ \t]+flags[ \t]=[ \t]*([ \t]complain[ \t])[ \t]+{': Invalid contents of {}
Note the final non-escaped {.
The issue is not present any more in branch master.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/80
Signed-off-by: John Johansen <john.johansen@canonical.com>
usr.sbin.dnsmasq: update to support dnsmasq 2.81
See merge request apparmor/apparmor!475
Acked-by: Christian Boltz for 2.11..master
(cherry picked from commit acafe9de82)
88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81
@Talkless requested xdg-open and friends be cherry-picked into 2.13
This is the set of commits (and fixes) to do that without modifying them.
We could drop backporting dbus-strict by modifying both the adding missing .d dirs, and add xdg-open and friends patches.
This series does not currently include the make check test and its fixes for the .d directories, as they were not required but we may want to include them to catch any potential errors.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/471
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add #include if exists <*.d> to new abstractions
See merge request apparmor/apparmor!453
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit 962f1e7a7b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d257afd309)
Signed-off-by: John Johansen <john.johansen@canonical.com>
add missing *.d include to dbus-network-manager-strict abstraction
See merge request apparmor/apparmor!448
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit eae474bb5c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.
Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/409
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a10fa57fb6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit eeac8c11c9)
abstractions/mesa: allow checking if the kernel supports the i915 perf interface
See merge request apparmor/apparmor!464
Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit f56bab3f75)
61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca)
This reverts commit 378519d23f.
this commit was meant for the 2.13 branch not master
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9144e39d25)
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377ba)
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf920929)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/gnome: also allow /etc/xdg/mimeapps.list
See merge request apparmor/apparmor!444
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 3becbbab2c)
67cf4fa3 abstractions/gnome: also allow /etc/xdg/mimeapps.list
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit 1cfd4d4bbc)
ee7194a7 Allow /usr/etc/ in abstractions/authentication
