/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
The added testcase for a ptrace target with an empty string
(ptrace_garbage_lp1689667_1.in) was causing the swig python test script
to fail. The generated python swig record for libapparmor ends up
setting a number of fields to None or other values that indicate the
value is unset, and the test script was checking if the value in the
field didn't evaluate to False in a python 'if' test.
Unfortunately, python evaluates the empty string '' as False in 'if'
tests, resulting in the specific field that contained the empty string
to be dropped from the returned record. This commit fixes that by
special case checking for the empty string.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
YaST has two issues in the "save changed profiles" dialog:
- when using "save selected", the list of profiles doesn't get updated.
Update q.options inside the loop to fix this.
- the list of profiles is displayed as "["/usr/bin/foo", true]" instead
of just "/usr/bin/foo". Use changed.keys() instead of changed to fix
this. (text-mode aa-logprof doesn't change, it always displayed
"/usr/bin/foo" and continues to do so.)
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062667 part a)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.
Note that 2.11 needs a slightly different patch (whitespace diff).
Merge fixes from Christian to address conflicting apparmor-utils
hotkeys in the Indonesian translation. Plus the usual lp timestamp
update.
Acked-by: Steve Beattie <steve@nxnw.org>
Updates to the following translations:
* binutils - add and update an entry to de.po
* utils
- de.po: add several entries
- en_GB.po: add many entries
- es.po: add non-existing(?) entry
- id.po: add many entries
- sv.po: update and add correct a number of entries
All other changes are the usual nonsense of launchpad updating
timestamps and export information.
Note one use of dbus is left because it is represnative of a unix
socket name used for communication with dbus
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The old out of tree patchseries has been completely dropped. v4.13
has most of the newer apparmor 3.x code in it. v4.14 has the rest except
the af_unix mediation which is included as the last patch
Not all kernels support writing the path_max kernel parameter after
boot. Detect if it can be written and run the long_path tests only
if it can be.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
newer versions of apparmor that support multi-transaction have this xpass
case fixed
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update the tests to test whether the kernel and parser support domain
transitions on pivot_root.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules
however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: timeout
'smc' seems to be new in kernel 4.12.
Note that the 2.10 apparmor.d manpage also misses the 'kcm' keyword, so
the patch also adds it there.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11 and 2.10.
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
This parameter is always [], so we can simplify the ReadLog __init__()
parameters.
Note that some tests handed over '' instead of []. This was a bug, but
didn't matter because those tests only use a small portion of ReadLog.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
'log' is only used in do_logprof_pass, and reset to [] at the beginning
of the function. Therefore it doesn't need to be a global variable.
Also, do_logprof_pass() initializes log = [], which gets then handed
over to ReadLog and overwritten by the read_log() call in the next line.
To make clear that [] gets handed over to ReadLog, replace log with []
and drop the now superfluous initialization with [].
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
In http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3659,
a testcase was added that where the expected output file did not match
the input source name, cause libapparmor's regression tests to fail:
Output doesn't match expected data:
--- ./test_multi/ptrace_no_denied_mask.out 2017-08-18 16:35:30.000000000 -0700
+++ ./test_multi/out/ptrace_no_denied_mask.out 2017-08-18 16:35:38.985863094 -0700
@@ -1,5 +1,5 @@
START
-File: ptrace_1.in
+File: ptrace_no_denied_mask.in
Event type: AA_RECORD_DENIED
Audit ID: 1495217772.047:4471
Operation: ptrace
FAIL: ptrace_no_denied_mask
This patch corrects the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from Vincas Dargis, approved by intrigeri
Fix user-write and user-download abstractions for non-latin file names.
Acked-by: Steve Beattie <steve@nxnw.org>
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.
It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.
It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
- allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp
- drop owner conditional - /proc/*/net/* is always owned by root, and
the owner conditional means breaking netstat for non-root users
- drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule
would never apply
Acked-by: Steve Beattie <steve@nxnw.org>
Addition by Steve Beattie:
- also allow @{PROC}/@{pid}/net/udplite and @{PROC}/@{pid}/net/udplit6
Acked-by: Christian Boltz <apparmor@cboltz.de>
get_file_perms() and propose_file_rules() happily collect all file
permissions. This could lead to proposing 'wa' permissions in
aa-logprof, which then errored out because of conflicting permissions.
This patch adds a check to both functions that removes 'a' if 'w' is
present, and extends the tests to check this.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.
Note: Both functions (including this bug) were introduced together with
FileRule, so older releases are not affected.
When creating a new child profile, handle_children() did only copy over
include and path rules. While this was correct in the past, path rules
got changed to FileRule in the meantime and were therefore lost.
(In practise, this means the "$binary mr," rule wasn't added to the new
child profile, causing a "superfluous" question in aa-logprof.)
This patch changes handle_children() to carry over the complete new
child profile instead of only cherry-picking include and path rules.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.11.
Older versions (with path as hasher) are not affected.
Create an EXIT STATUS header and place the BUGS section after the EXIT
STATUS section to match the style in aa-enabled.pod.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Make the possible exit status values bold to match the style used in
aa-status.pod as of r3680.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This option exists in several aa-* tools since 2.9, but isn't mentioned
in the manpage.
Also drop some trailing whitespace in the manpages.
Acked-by: John Johansen <john.johansen@canonical.com>
for 2.9, 2.10, 2.11 and trunk.
While performing genprof, The message to start and scan the program
is mentioned in a separate important message, while it can be
presented as a part of the explanation of the PromptQuestion.
While this will not change the output of text mode, this will help
json clients like yast be more expressive.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Also make 'ruletypes' a dict pointing to the *Ruleset class, and change
ProfileStorage __init__() to iterate over 'ruleset'.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
