We never did a release with the JSON code, and YaST (the only known user
of the JSON interface) will work with the added 'changes' dialog type
from r3721 without needing changes.
Also add a better comment/reason why a response for 'changes' is
expected, but gets ignored.
Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The python setup tools script is set to rewrite the shbang line of
scripts installed in ${PREFIX}/bin/ if the PYTHON environment variable
is set. Unfortunately, this (a) only covers the aa-easyprof script
as the rest are installed in ${PREFIX}/sbin/, and (b) we've deprecated
python 2 support, and hardcoded python3 as the interpreter for all of
the python scripts in the utils/ directory.
The only use for this feature would be if for some reason the utils did
not work properly with the default python3 interpreter and a specific
version was needed to be set, but I don't think that warrants keeping
the extra bit of code complexity around (and indeed, the snippet that
does this is forcibly disabled in Debian/Ubuntu).
Therefore, drop the shbang rewriting entirely.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this.
Acked-by: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
Provides the filename in the json format, which can be
directly read by Yast. Increased the protocol version; perhaps
it should go in the next release.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
[cboltz] fix "unused variable" warning and add a comment about ignoring
the JSON response
Acked-by: Christian Boltz <apparmor@cboltz.de>
This is a preparation patch to use for JSON mode of conveying
diff filename. In this patch we move diff generation functions to UI.
In the process, I have cleaned up the code to reduce code and enable reuse.
Remove unused function get_profile_diff().
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
[cboltz] Also adjust aa-mergeprof to the new function name/location
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The crash was caused by the more strict ProfileStorage in bzr trunk
(older versions use hasher() which is more forgiving, but also very
"useful" to hide quite some bugs)
Acked-by: Christian Boltz <apparmor@cboltz.de>
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
The added testcase for a ptrace target with an empty string
(ptrace_garbage_lp1689667_1.in) was causing the swig python test script
to fail. The generated python swig record for libapparmor ends up
setting a number of fields to None or other values that indicate the
value is unset, and the test script was checking if the value in the
field didn't evaluate to False in a python 'if' test.
Unfortunately, python evaluates the empty string '' as False in 'if'
tests, resulting in the specific field that contained the empty string
to be dropped from the returned record. This commit fixes that by
special case checking for the empty string.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
YaST has two issues in the "save changed profiles" dialog:
- when using "save selected", the list of profiles doesn't get updated.
Update q.options inside the loop to fix this.
- the list of profiles is displayed as "["/usr/bin/foo", true]" instead
of just "/usr/bin/foo". Use changed.keys() instead of changed to fix
this. (text-mode aa-logprof doesn't change, it always displayed
"/usr/bin/foo" and continues to do so.)
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062667 part a)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.
Note that 2.11 needs a slightly different patch (whitespace diff).
Merge fixes from Christian to address conflicting apparmor-utils
hotkeys in the Indonesian translation. Plus the usual lp timestamp
update.
Acked-by: Steve Beattie <steve@nxnw.org>
Updates to the following translations:
* binutils - add and update an entry to de.po
* utils
- de.po: add several entries
- en_GB.po: add many entries
- es.po: add non-existing(?) entry
- id.po: add many entries
- sv.po: update and add correct a number of entries
All other changes are the usual nonsense of launchpad updating
timestamps and export information.
Note one use of dbus is left because it is represnative of a unix
socket name used for communication with dbus
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The macro `PATH_MAX` macro is typically defined in the <limits.h>
header by the system's libc implementation. While we do not
include it right now, glibc indirectly includes it via other
headers already and thus compilation of the file succeeds. For
other libc implementations this may not be the case, which would
then lead to a compilation error. This is the case for musl libc.
Explicitly include <limits.h> to fix this.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The define `RLIMIT_OFILE` is a historic macro originating from
the BSDs, which is nowadays an alias for `RLIMIT_NOFILE`. On some
implementations, it has thus been dropped in favor of the new
define, but we still assume it will always be defined in our
rlimit keywords table. Wrap it in an `ifdef` to fix compilation
on systems where it does not exist.
For the second macro `RLIMIT_RTTIME`, we do check for its
existence in our keywords table, but then forgot to do so in the
YACC rules. Wrap it into an `ifdef`, as well.
Both patches serve the goal to fix compilation on musl libc.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The macros __BEGIN_DECLS and __END_DECLS are not conforming to
any standard, but are a custom extension of the glibc library. As
such, it may not be available in other libc implementations, with
one example being musl libc. So compiling libapparmor won't work
with a strictly standards-conforming library.
These macros are typically used for header files which might be
included in a C++ project. Depending on whether the header is
seen by a C or C++ compiler, it will hint that functions have C
linkage. The macros themselves are rather simple:
#ifdef __cplusplus
# define __BEGIN_DECLS extern "C" {
# define __END_DECLS }
#else
# define __BEGIN_DECLS
# define __END_DECLS
#endif
To fix compilation with musl libc, simply expand those macros to
explicitly use `extern "C"`. This is already used in other parts
of apparmor and should thus be safe to use.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The old out of tree patchseries has been completely dropped. v4.13
has most of the newer apparmor 3.x code in it. v4.14 has the rest except
the af_unix mediation which is included as the last patch
These files are used by OpenAL for better spatialization of sounds
when headphones are detected.
Bug and patch by Simon McVittie <smcv@debian.org>:
https://bugs.debian.org/874665
Not all kernels support writing the path_max kernel parameter after
boot. Detect if it can be written and run the long_path tests only
if it can be.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
newer versions of apparmor that support multi-transaction have this xpass
case fixed
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update the tests to test whether the kernel and parser support domain
transitions on pivot_root.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules
however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: timeout
'smc' seems to be new in kernel 4.12.
Note that the 2.10 apparmor.d manpage also misses the 'kcm' keyword, so
the patch also adds it there.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11 and 2.10.
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
This parameter is always [], so we can simplify the ReadLog __init__()
parameters.
Note that some tests handed over '' instead of []. This was a bug, but
didn't matter because those tests only use a small portion of ReadLog.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
'log' is only used in do_logprof_pass, and reset to [] at the beginning
of the function. Therefore it doesn't need to be a global variable.
Also, do_logprof_pass() initializes log = [], which gets then handed
over to ReadLog and overwritten by the read_log() call in the next line.
To make clear that [] gets handed over to ReadLog, replace log with []
and drop the now superfluous initialization with [].
Acked-by: Seth Arnold <seth.arnold@canonical.com>
