- the base abstraction for common abstract and anonymous rules (comments
included per rule)
- dbus-session-strict to add a rule for connecting to the dbus session
abstract
socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
explicit label if people preferred that
- X to add a rule for connecting to the X abstract socket. Same as for
dbus-session-strict
- nameservice to add a rule for connecting to a netlink raw. This change could
possibly be excluded, but applications using networking (at least on Ubuntu)
all seem to need it. Excluding it would mean systems using nscd would need to
add this and ones not using it would have a noisy denial
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
before the af type protocol mappings patch was applied, a single rule could
result in multiple rule entries being created. The af type protocol mappings
patch broke this by apply only the first of the mappings that could be
found.
Restore the previous behavior by search through the entire table until
all matches have been made.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
add a add_to_options() helper function to aa.py which
- adds newpath to options if it's not already there
- returns the updated options and the index of newpath
This removes duplicated code for CMD_GLOB and CMD_GLOBEXT in
ask_the_question()
It also adds duplicate prevention to CMD_NEW.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
When reaching EOF while still in a profile (syntax-wise), there are two
possible reasons:
- missing "}"
- missing "," in the last rule (which means that, thanks to multiline
rule handling, the "}" is considered to be part of the last rule)
This patch improves the error message in aa.py to cover a missing ","
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
but should look for '//null-' instead.
Also remove some code duplication by merging with the next condition,
which executes the same self.add_to_tree code.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 126, in check_for_LD_XXX
for line in f_in:
[...]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xf8 in position 40: ordinal not in range(128)
While on it, also replace usage of the "found" variable by "return"
statements, which should bring a small performance improvement - if we
have a match, it's superfluous to continue searching.
The patch also adds me to the copyright header ;-)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
they only fail because of one (expected) reason and we notice if they
don't fail anymore. Complex profiles have the risk to fail for multiple
reasons, which also means nobody will notice if they fail for one reason
less.
The simplification is done by
- removing #include lines
- in some cases, replace the #include line with "/foo/bar r," to avoid
empty hats
Acked-by: Steve Beattie <steve@nxnw.org>
Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.
Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This change only sets up unix_socket.sh to test abstract sockets.
Unconfined processes are tested while using an abstract socket but
the test function returns before testing with confinement.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Rename the test in preparation for expanding its capabilities to cover
all UNIX domain socket address format types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
openSUSE now compiles samba --with-cachedir=/var/lib/samba (instead of
the default /var/cache/samba). This patch updates the smbd profile to
match this change.
Acked by: Seth Arnold <seth.arnold@canonical.com>
user/password files (everybody will use a different filename for the
user/password list - and when you allow reading the password list,
allowing to read the config doesn't add any harm ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=874094
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Subject: perl-apparmor: Properly handle bare 'file' keyword
References: bnc#889652
The bare file keyword is a shortcut for /{**,}. There are also implied
permissions that go with it.
This patch accepts the file keyword as well as allowing for missing mode
specifiers.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Subject: perl-apparmor: Handle bare 'capability' keyword
References: bnc#889651
Specifying 'capability' implies all capabilities, but the perl code didn't
recognize it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Subject: perl-apparmor: Fix bare 'network' keyword handling
References: bnc#889650
The 'network' bare keyword was being printed as "audit network all" due to
two different bugs:
1) {audit}{all} was always being set to 1, regardless of whether the audit
keyword was used
2) {rule} eq 'all' is the wrong test - it should be {rule}{all}
With these fixed, 'network' is properly handled.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
- allow users to merge two profiles (2-way merge) using aa-mergeprof by
making the third profile optional
- re-enable code that cleaned up base and other profile and using it in
deleted count (was disabled due to pyflakes thinking it was unused)
Patch by Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adjusts the verbosity of several of the utils tests,
to make them all consistently verbose.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
tree python modules.
Also remove "sys.path.append('../')" (and now-unused "import sys") from
all tests that contain it for consistency and to make testing with the
installed modules possible (even if we don't have a USE_SYSTEM option
yet).
Acked-by: Steve Beattie <steve@nxnw.org>
saving the remaining profile after using "save selected profile".
When using "save selected profile", write_profile() (called by
write_profile_ui_feedback()) does "changed.pop(profile_name)".
However, saving the remaining profiles in save_profiles() uses a cached
version of changed.keys() and therefore tries to save a profile that
was already saved and is no longer part of "changed".
Also remove two commented lines we'll never need again:
- #changed.pop is done in write_profile()
- q['options'] is set some lines above
References: https://bugs.launchpad.net/apparmor/+bug/1341178
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds the new capability CAP_AUDIT_READ, added in the 3.16
kernel, to the utils severity.db. I set the severity level at 7,
since it seemed to offer less exposure than CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE, which are both considered severity 8.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
testcases) to
- sleep 10 seconds after each failed test to make failures more annoying
^W^W^W^Wgive people a chance to read failure details
- print a list of failed tests at the end
Also avoid duplicate code by letting runtests-py2.sh call runtests-py3.sh.
Acked-by: Steve Beattie <steve@nxnw.org>
LOG_MODE_RE is also defined (and used) in aamode.py.
This patch removes the superfluous definition from logparser.py.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
