On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1539
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1542
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Changes include:
- using `long` instead of `intmax_t` for `pid_t` typemap (32-bit build failure); see commit message for more details
- specifying messages for `static_assert` declarations (required up until C23, was accepted as a compiler extension on the systems I had tested this on previously)
- removing label-followed-by-declaration instance (also a C23 feature supported as extension)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1536
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The documentation was missing information about path sanitization, and
why you shouldn't do a leading @{VAR} on path rules. While the example
doing this was fixed, actual information about why you shouldn't do
this was missing.
Document how apparmor will collapse consecutive / characters into a
single character for paths, except when this occurs at the start of
the path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1532
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
The message being optional is apparently a C23 thing that was available as an extension on the systems I tested on previously
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The previous code using intmax_t failed to build on armhf because
intmax_t was long long int instead of long int on that platform.
As to shrinking down to a long: not only does SWIG lack a
SWIG_AsVal_intmax_t, but aalogparse also assumes PIDs fit in a long
by storing them as unsigned longs in aa_log_record. Thus, we can
assume that sizeof(pid_t) <= sizeof(long) right now and deal with
the big headache that a change to pid_t would cause if it becomes
larger than a long in the future.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The documentation was missing information about path sanitization, and
why you shouldn't do a leading @{VAR} on path rules. While the example
doing this was fixed, actual information about why you shouldn't do
this was missing.
Document how apparmor will collapse consecutive / characters into a
single character for paths, except when this occurs at the start of
the path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1533
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
AppArmor profile for `iotop-c`, developed and tested in Ubuntu 24.04 LTS.
Signed-off-by: Allen Huang <allen.huang@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1520
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
profile for wpa_supplicant in oracular
tested: creating, connecting, disconnecting, removing wireless networks, hotspot and p2 networks
Signed-off-by: Sudhakar Verma <sudhakar.verma@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1385
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
- Remove `owner` in /proc/ rules to enable non-root users
- add "include if exists" line to pass the pipeline
- change <abstractions/nameservice> to smaller <abstractions/nameservice-strict>
Signed-off-by: Allen Huang <allen.huang@canonical.com>
The existing test checks that the tinyproxy systemd service is confined. However
it is possible that this confinement is based on systemd launching tinyproxy
with the expected profile, rather than tinyproxy running under the profile due
to path-based attachment. So add an explicit check for this as well as requested
by @zyga-aka-zygoon in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1477#note_2334724042
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1523
Approved-by: Zygmunt Krynicki <me@zygoon.pl>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- add profile for tshark
- sub profile for dumpcap
- tested with tests from upstream wireshark project,not all test cases
passed but failures unrelated to apparmor restriction
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1384
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
Some weirdnesses:
- The Perl abstraction specifies an ix execution mode for Perl, while my impression from the Python abstraction is that we shouldn't be specifying execution modes for the script interpreter in the abstractions. It's probably too late to change that though.
- Tcl apparently doesn't have an abstraction available. Given the way it's embedded into applications like ZNC, I'm assuming that Tcl doesn't have support files the way Python does.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1376
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add AA profile for tnftp. This profile has been tested on the latest oracular tnftp version 20230507-2build3 which is also the latest upstream version. This profile limits the file downloads to common download directories and /tmp. It also cripples the "!" command denying access to network and allowing the execution of binaries located directories for which we deny write access. Any feedback is welcome.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1363
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add AA profile for `socat`. This profile has been tested on the latest oracular socat version `1.8.0.0-4build3` and the latest upstream version `1.8.0.1`. I raised the PR and this profile has already been merged on the `roddhjav/apparmor.d` repo, [here](https://github.com/roddhjav/apparmor.d/pull/454). For now, I have added this profile in "extra", but let me know if you think otherwise, any feedback is welcome.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1319
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
It is now possible to select individual rules to allow through an
improved GUI (ShowMoreGUIAggregated).
This commit also simplifies codebase thanks to new classes ProfileRules
and SelectableRules.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1444
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The current behavior of priority rules can be non-intuitive with
higher priority rules completely overriding lower priority rules even in
permissions not held in common. This behavior does have use cases but
its can be very confusing, and does not normal policy behavior
Eg.
priority=0 allow r /**,
priority=1 deny w /**,
will result in no allowed permissions even though the deny rule is
only removing the w permission, beause the higher priority rule
completely over ride lower priority permissions sets (including
none shared permissions).
Instead move to tracking the priority at a per permission level. This
allows the w permission to still override at priority 1, while the
read permission is allowed at priority 0.
The final constructed state will still drop priority for the final
permission set on the state.
Note: this patch updates the equality tests for the cases where
the complete override behavior was being tested for.
The complete override behavior will be reintroduced in a future
patch with a keyword extension, enabling that behavior to be used
for ordered blocks etc.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1522
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The existing test checks that the tinyproxy systemd service is confined. However
it is possible that this confinement is based on systemd launching tinyproxy
with the expected profile, rather than tinyproxy running under the profile due
to path-based attachment. So add an explicit check for this as well as requested
by @zyga-aka-zygoon in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1477#note_2334724042
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This profile deliberately does not use `abstractions/audio`, instead listing only the subset of the interfaces required to enumerate audio devices and control their volume, without the parts needed to actually send or receive audio from them. This could also be a useful basis for splitting `abstractions/audio` into finer-grained subcomponents.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1517
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This requires a runner with the tags: linux, x86_64, kvm. One needs to
be provisioned for the AppArmor project for the pipeline to function.
It is possible to run the same tests on SAAS runners offered by GitLab
but due to issue gitlab-org/gitlab-runner#6208 there is no way to expose
/dev/kvm on the host to the guest. Without this feature emulation works
but is rather slow as to be impractical.
Note that there's some overlap between the build-all job and spread that
might be avoided in the future. At present this is made more difficult
by the fact that the path where build-all job builds libapparmor is
stored internally by autotools. This prevents us from using GitLab
artifacts from moving the built files across to the spread testing jobs
without extra work.
In addition to adding the spread job, remove test-build-regression job.
This job is now redundant since the same operation is done when spread
builds and runs regression tests.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1512
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.
see
commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1521
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Ryan Lee <rlee287@yahoo.com>
This was tested using the test-tinyproxy.py script from qa-regression-testing as
well as by running the upstream test suite with a brief hack to ensure it
invokes tinyproxy with aa-exec -p tinyproxy first.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1477
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.
see
commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current behavior of priority rules can be non-intuitive with
higher priority rules completely overriding lower priority rules even in
permissions not held in common. This behavior does have use cases but
its can be very confusing, and does not normal policy behavior
Eg.
priority=0 allow r /**,
priority=1 deny w /**,
will result in no allowed permissions even though the deny rule is
only removing the w permission, beause the higher priority rule
completely over ride lower priority permissions sets (including
none shared permissions).
Instead move to tracking the priority at a per permission level. This
allows the w permission to still override at priority 1, while the
read permission is allowed at priority 0.
The final constructed state will still drop priority for the final
permission set on the state.
Note: this patch updates the equality tests for the cases where
the complete override behavior was being tested for.
The complete override behavior will be reintroduced in a future
patch with a keyword extension, enabling that behavior to be used
for ordered blocks etc.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The original patch adding priority to the set of prefixes failed to
update the prefix dump to include the priority priority field.
Fixes: e3fca60d1 ("parser: add the ability to specify a priority prefix to rules")
Signed-off-by: John Johansen <john.johansen@canonical.com>
The priority field is only used during state construction, and can
even prevent later optimizations like minimization. The parser already
explcitily clears the states priority field as part of the last thing
done during construction so it doesn't prevent minimization
optimizations.
This means the state priority not only wastes storage because it is
unused post construction but if used it could introduce regressions,
or other issues.
The change to the minimization tests just removes looking for the
priority field that is no longer reported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
