Similarly to https://gitlab.com/apparmor/apparmor/-/merge_requests/689, use the
global CFLAGS when building Python library, so we honor extra flags set by
distributions, such
as -fstack-protector-strong -fstack-clash-protection -Werror=format-security -fcf-protection.
Spotted by blhc on Debian.
Gbp-Pq: Name Honor-global-CFLAGS-when-building-Python-library.patch
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1254
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Similarly to https://gitlab.com/apparmor/apparmor/-/merge_requests/689, use the
global CFLAGS when building Python library, so we honor extra flags set by
distributions, such
as -fstack-protector-strong -fstack-clash-protection -Werror=format-security -fcf-protection.
Spotted by blhc on Debian.
Gbp-Pq: Name Honor-global-CFLAGS-when-building-Python-library.patch
Installation of php-fpm fails on Ubuntu because the profile does not
allow writing to /run/systemd/notify.
Fixes: https://bugs.launchpad.net/bugs/2061113
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:
```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1246
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:
```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Initialize 'ret' variable to EXIT_FAILURE instead of doing so
in every error handling. Also fixes error handling in the case that mkfifio() fails.
Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1245
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
aa-remove-unknown doesn't deal properly with profiles that contain
spaces in their names.
Using profile "MongoDB Compass" as an example, awk's sub returns the
number of matches - either 1 or 0 and replaces the actual string ($0)
with the substitution. By accessing the return of sub with $, awk
would be accessing $1 which would return only "MongoDB".
Fix this by using $0 instead of $str.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#395
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1243
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
In the course of preparing !1207, I found that the validation rules in `profiles/Makefile` did not take kindly to the new `profiles/apparmor/profiles/extras/abstractions/` directory. I tried a couple rounds of quick fixes, but it became clear that the rules as currently written were just not amenable to the new addition, and needed more attention than I could give it by-the-by.
So I separated out that commit, and revised the makefile more thoroughly. The updated rules now rely more on `find(1)` than `$(wildcard)`, and have a number of [what I believe to be] small quality-of-life improvements. Taken together, `make check` passes cleanly with the new files from my other MR present.
One thing I noticed was that the profiles under `apparmor.d/` were not previously being checked for the `include if exists <local/*>` bit---only the ones under `extras/`. I've thus included a fix to the `sbuild-shell` profile, which fortunately was the only one that failed the check.
Note that at present, you'll get a couple of harmless `find: ‘./apparmor/profiles/extras/abstractions’: No such file or directory` errors when running the checks, since that directory won't appear until the other MR is merged. I figure, better to bear that for now, and not have to touch the makefile again later.
NOTE: The CI pipeline here will need to be updated to invoke the `check-local` target instead of `check-extras`. This target was renamed as it is no longer limited in scope to the profiles under `extras/`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1214
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This gets `chromium` and `ungoogled-chromium` working again on Ubuntu 24.04; see discussion [here](#394).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1238
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
saddr, daddr, src and dest are used in network logs
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1239
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
aa-remove-unknown doesn't deal properly with profiles that contain
spaces in their names.
Using profile "MongoDB Compass" as an example, awk's sub returns the
number of matches - either 1 or 0 and replaces the actual string ($0)
with the substitution. By accessing the return of sub with $, awk
would be accessing $1 which would return only "MongoDB".
Fix this by using $0 instead of $str.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
I propose this patch for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1240
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
... and tests for it.
This replaces the old code that just stores the full rule as text.
We also get rid of the old ['allow'] and ['deny'] items in
ProfileStorage, the handling of old write functions, and the last usage
of _Raw_Rule (and therefore _Raw_Rule itsself).
Also delete the old test-pivot_root_parse.py which relied on the ancient
code, and even used a wrong syntax in its test rules.
Oh, and aa-logprof can now ask about pivot_root events.
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1232
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1236
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
... for handling pivot_root rules.
This replaces the old code that just stores the full rule as text.
We also get rid of the old ['allow'] and ['deny'] items in
ProfileStorage, the handling of old write functions, and the last usage
of _Raw_Rule (and therefore _Raw_Rule itsself).
Also delete the old test-pivot_root_parse.py which relied on the ancient
code, and even used a wrong syntax in its test rules.
The following exceptions were added to flake8 since they have several
expected uses in the tools and their tests:
E501: Line lengths are recommended to be no greater than 79 characters.
E241: Multiple spaces after ','
W503: Line break occurred before a binary operator
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
ProfileStorage knows a whole profile, therefore it should also include the profile header in `__repr__()`.
Also add a test for this.
While on it, add a test for an invalid type change for a type that doesn't have special handling in `__setitem__()` to increase test coverage.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1233
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
These are no longer needed because we have MountRule and UnixRule
classes now.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1230
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Since musl 1.2.5, basename(3) prototype is only provided in libgen.h
(as mandated by POSIX) and not in strings.h. Also there is a major
difference between the gnu basename and the one defined in libgen.h,
the latter modify the argument string making them incompatible.
Fix this by defining a portable version of basename using strchr.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1234
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Since musl 1.2.5, basename(3) prototype is only provided in libgen.h
(as mandated by POSIX) and not in strings.h. Also there is a major
difference between the gnu basename and the one defined in libgen.h,
the latter modify the argument string making them incompatible.
Fix this by defining a portable version of basename using strchr.
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
I propose this fix for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1229
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
Did some testing on a fresh post-release image of noble, and uncovered some new denials:
#### Xorg
`2024-05-06T19:55:36.782484-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715039736.765:174): apparmor="DENIED" operation="link" class="file" profile="Xorg" name="/tmp/.X0-lock" pid=1366 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 target="/tmp/.tX0-lock"`
#### chromium_browser
`2024-05-06T21:17:09.674963-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715040834.256:168): apparmor="DENIED" operation="userns_create" class="namespace" profile="chromium_browser" pid=2133 comm="chromium" requested="userns_create" denied="userns_create"`
#### firefox
`2024-05-06T21:33:09.387356-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045589.369:505): apparmor="DENIED" operation="userns_create" class="namespace" profile="firefox" pid=3610 comm="firefox" requested="userns_create" denied="userns_create"`
`2024-05-06T21:36:48.911280-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045808.884:682): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/fs/cgroup/user.slice/user-1000.slice/session-c2.scope/cpu.max" pid=4348 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
`2024-05-06T21:42:34.152955-04:00 image-ubuntu64 dbus-daemon[1628]: apparmor="DENIED" operation="dbus_bind" bus="session" name="org.mpris.MediaPlayer2.firefox.instance_1_82" mask="bind" pid=4348 label="firefox"`
#### Xorg (second commit)
I neglected to set `abi/4.0` when this went in originally. (I was using the profile on jammy, hence the `3.0`.)
Also, testing on an older laptop that *doesn't* support KMS revealed that Xorg needs some pretty serious permissions then. I've added them in commented-out form, with an explanatory comment. (The `#nokms#` bit is meant to simplify uncommenting those two lines mechanically, e.g. `sed -i 's/#nokms#//'`)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1227
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Latest python setuptools don't accept a `~` in the version, and fail the
build. Replace `~` with `-` to avoid this.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1217
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
