http://thread.gmane.org/gmane.linux.kernel/1289986
This allows for drivers that support poll to prevent suspend. Adjust
utils/severity.db for this.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
create-apparmor.vim.py was failing on systems with python 2.5, fix that
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
This patch moves the generation of file rules from apparmor.vim.in to
create-apparmor.vim.py. It also adds support for
- filenames in quotes
- reverse syntax (permissions first)
The patch also removes an outdated $Id header in apparmor.vim.in and
updates the copyright year.
Acked-By: John Johansen <john.johansen@canonical.com>
* the application, library, documentation and installation script
* the initial templates and policy groups. This will undoubtedly need
refinement as we get feedback from users. Initial policy is based on Ubuntu's
Application Review Board (ARB) requirements[2].
* tests for the library
* Makefile integration
Templates are stored in /usr/share/apparmor/easyprof/templates and policy
groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via
/etc/apparmor/easyprof.conf.
The aa-easyprof.pod has complete documentation on usage with some
additional information in utils/easyprof/README (mostly duplicated
here).
Testing can be performed in a number of ways:
$ cd utils ; make check # runs unit tests and pyflakes
Unit tests manually:
$ ./test/test-aa-easyprof.py
In source manual testing:
$ ./aa-easyprof --templates-dir=./easyprof/templates \
--policy-groups-dir=./easyprof/policygroups \
... \
/opt/foo/bin/foo
Post-install manual testing:
$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
$ cd /tmp/test
$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
--templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
/opt/bin/foo
(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
specifying --templates-dir and --policy-groups-dir).
Committing this now based on conversation with John and Steve.
Acked-By: Jamie Strandboge <jamie@canonical.com>
When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.
This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.
Bug: https://launchpad.net/bugs/982619
manpages (and adjust it so that it's one rule instead of eight). It
also fixes the above problem and a similar problem in the aa-exec
manpage.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This patch calls autodep on the 'exec'ed binary when the user selects
to place that execution in a child profile. Previously, logprof would
create an entirely empty child profile in complain mode (this fix
still leaves the child profile in complain mode).
This patch fixes a couple of issue with autodep:
1) The initial profile construction had not been adjusted to include
the 'allow' or 'deny' hash prefixing the path elements. This
fixes it by eliminating the path portion entirely and pushing
the path based accesses to the later analysis section of code.
2) the mode of the original binary was accidentally getting reset
to 0, when it was intended to initialize the audit field to 0.
This patch adds a make install target for the generated apparmor.vim
file, installing by default into /usr/share/apparmor based on IRC
discussions; alternate suggestions welcome. (Installing directly
into the vim syntax tree is difficult as the system path by default
contains the vim version number.)
This patch replaces the apparmor.vim generating script with a python
version that eliminates the need for using the replace tool from the
mysql-server package. It makes use of the automatically generated
lists of capabilities and network protocols provided by the build
infrastructure. I did not capture all the notes and TODOs that
Christian had in the shell script; I can do so if desired.
It also hooks the generation of the apparmor.vim file into the utils/
build and clean stages.
This patch adds several missing capabilities to the utils/
severity.db file as detected by the newly added make check target,
along with corresponding severity levels that I believe :re appropriate
(discussion welcome):
CAP_MAC_ADMIN 10
CAP_MAC_OVERRIDE 10
CAP_SETFCAP 9
CAP_SYSLOG 8
CAP_WAKE_ALARM 8
The latter two are undocumented in the capabilities(7) man page
provided in Ubuntu 12.04; the syslog one is the separation out of
accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM
allows setting alarms that would wake a system from a suspended state,
if my reading is correct.
This also fixes a trailing whitespace on CAP_CHOWN, moves
CAP_DAC_READ_SEARCH to the end of the section of capabilities it's
in due to its lower priority level (7).
capabilities
This patch adds a new make target, check_severity_db, to the
utils/Makefile. It greps the severity.db for the presence of each
capability, as computed by the newly abstracted out variable in
common/Make.rules, and issues a build time error if it finds any
missing.
It also silences the check targets, so that only the output from them
will be emitted.
The aa-exec command can be used to launch an application under a specified
confinement, which may be different for what regular profile attachment
would apply.
Signed-off-by: John Johansen <john.johansen@canonical.com>
capabilities). The rule will be marked in the "dangerous capability"
color.
Additionally, the patch removes the (already commented out) code for
"set capability".
Acked-by: Kees Cook <kees@ubuntu.com>
When running installing apparmor-utils from Makefile, some warnings are
generated: make[1]: warning: jobserver unavailable: using -j1. Add
`+' to parent make rule.
Use $(MAKE) instead of make
Signed-off-by: John Johansen <john.johansen@canonical.com>
If $DISPLAY is not set and --display is not used, aa-notify prints a
warning that notifications won't be shown (exact warning text depends if
using sudo or not).
Acked-by: John Johansen <john.johansen@canonical.com>
- set HOME (and DISPLAY) only once on startup to avoid NSS lookups
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <opensuse@cboltz.de>
openSUSE, which results in non-working desktop notifications in aa-notify
because $notify_exe is unable to connect to DBUS to display the message.
This patch sets the correct value for $HOME.
The code for setting $DISPLAY is still under discussion, therefore only
a TODO note is included in this commit for $DISPLAY.
Acked-By: John Johansen <john.johansen@canonical.com>
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Resolved merge conflict and removal operation already supported by
the log parser.
Acked-by: John Johansen <john.johansen@canonical.com>
instead.
Needed at least on upgraded Ubuntu machines that went from messages to
syslog recently. If this causes problems, we can easily revert it.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
syslog, otherwise audit events will get dropped.
This runs the risk of having the kernel log wrap around, but that
is a less common case that what this solves. This is a work-around
that will go away when complain info takes a different path in the
future.
I intentionally don't allow pUx and Pux since the behaviour of those is
very unexpected (the first letter decides if the environment is cleaned
up or not - at least that's the result of the discussion in April) and
the average user won't know this.
Acked-by: John Johansen <john.johansen@canonical.com>
