mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 17:31:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
1422 commits 23 branches 109 tags 32 MiB
Commit graph

1422 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jamie Strandboge
23bc2980c6 ubuntu-media-players: add gmplayer 2010-06-08 14:33:31 -05:00
Jamie Strandboge
f8c7cee59c allow thunderbird 3 in abstractions/ubuntu-email 2010-06-07 08:30:34 -05:00
Kees Cook
6737031eb9 hrm, since I added code, I need to update the copyright details. 2010-06-04 18:57:01 -07:00
Kees Cook
7cfc7e1133 add correct line number and filename tracking for error conditions (LP: #588014) 
Bug: https://launchpad.net/bugs/588014
 2010-06-04 18:47:44 -07:00
Kees Cook
67bd489ba8 add generated files from parser/ to ignore list 2010-06-04 18:39:20 -07:00
Kees Cook
34f5510faf network interface enumeration 2010-06-04 17:44:59 -07:00
Kees Cook
0e07298340 update for font/icon/mime locations in current gnome 2010-06-04 17:44:30 -07:00
Kees Cook
a7fd5abe37 statvfs allowed by default 2010-06-04 17:43:11 -07:00
Jamie Strandboge
a029b16066 apparmor_notify: 
- verify $opt_s is initialized (LP: #582075)
- don't show summary if $opt_s < 1
 2010-05-27 09:08:12 -05:00
Jamie Strandboge
ea4756a802 ##rmor_notify: show last date when using -s # -v 2010-05-14 00:08:31 +02:00
Jamie Strandboge
7d76eea05a apparmor_notify: show last date when using -s # -v 2010-05-14 00:07:32 +02:00
Jamie Strandboge
7d22b5bdce abstractions/user-tmp: require 'owner' matching 2010-05-12 10:52:23 +02:00
Jamie Strandboge
8e97e4a405 apparmor_notify: add long options. Your welcome Steve ;) 2010-05-12 10:46:22 +02:00
Steve Beattie
d6713e49cd First, readlink is in /bin/ on ubuntu, not /usr/bin - checked both 
paths. Secondly, the /lib64 -> /lib symlink would mean the
/lib64/ld-linux symlink would incorrectly be generated as
/lib64/ld-N.NN.so which still has a symlink in its path, and thus
apparmor wouldn't permit the access. Fixing by having readlink
canonicalize the entire path.

ack thppt.
 2010-04-27 02:37:30 -07:00
Jamie Strandboge
369e18202f add dbus-session abstraction 2010-04-19 12:38:17 -05:00
Jamie Strandboge
96b1328967 apparmor_notify: adjust '(3 total)' to '(3 found)' 2010-04-08 23:00:52 -05:00
Jamie Strandboge
0254d63fdc apparmor_notify: group like entries together when using -v with -s. Eg: 
$ sudo apparmor_notify -s 1 -v
 Profile: /usr/lib/firefox-3.6.3/firefox-*bin
 Operation: exec
 Name: /usr/bin/apturl
 Denied: ::x
 Logfile: /var/log/audit/audit.log

 Profile: /usr/sbin/ntpd
 Operation: open
 Name: /var/lib/ntp/ntp.conf.dhcp
 Denied: r::
 Logfile: /var/log/audit/audit.log
 (3 total)

 AppArmor denials: 4 (since Wed Apr  7 22:57:56 2010)
 For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
 2010-04-08 22:57:04 -05:00
John Johansen
b0a9f46bb7 Update parser man page to include dump and optimize flags 2010-04-03 16:24:06 -07:00
John Johansen
d295e3b444 Update several flags to not preclude there using with writing the cache, 
they will however still skip reading the cache.
 2010-04-03 15:41:40 -07:00
Jamie Strandboge
6186118aa0 adjust cgi path for php5 abstraction (LP: #538661) 2010-03-30 12:34:32 -05:00
Jamie Strandboge
98d20bf257 adjust path to extensions in php5 abstraction, since the extensions directory 
is more free-form than once thought
 2010-03-30 12:31:26 -05:00
Jamie Strandboge
c38f0f22bc apparmor_notify: remove stray print 2010-03-30 12:26:32 -05:00
Jamie Strandboge
24446dd1d0 apparmor_notify.pod: add -u and -w options 2010-03-30 10:48:51 -05:00
Jamie Strandboge
cd90674f37 apparmor_notify: fix reopening logfile after dropping privileges (ie, notice 
when auditd logs get rotated)
- use getgrnam() with setgid when dropping to nobody_group
- add '-u USER' option to drop to this user when running priviliged but
  not under sudo. Useful for starting when logged in as root.
- add a read access check before get_logfile_inode() so we don't have to
  wait for the timeout in get_logfile_inode()
- set euid only when dropping privileges, instead of using POSIX::setuid()
  which sets uid, euid and saved id when starting privileged
- create send_message() function which fork/execs so that we can set the
  real uid before calling notify-send (notify-send looks at the real uid
  when trying to connect to dbus)
- adjust reopen_logfile() to raise privileges (via euid) before accessing
  logfile when $< != $>. Drop them again after open().
 2010-03-30 10:31:23 -05:00
Jamie Strandboge
4cfe8e9d48 apparmor_notify.pod: update for -f 2010-03-27 09:16:38 -05:00
Jamie Strandboge
5ceb1fa1c9 apparmor_notify: 
- also check for inode change
- update size to use stat
- treat logfile_size like logfile_inode
- update logfile_size and logfile_inode in reopen_logfile()
 2010-03-27 09:14:33 -05:00
Jamie Strandboge
4fb9a702f0 apparmor_notify: 
- add -f option to optionally specify the logfile
- when polling, check to see if the logfile size decreased, and if so, reopen
  it. Currently this only works if you can read the file after dropping
  privileges
 2010-03-27 08:28:07 -05:00
Marc Deslauriers
daffe30e47 - utils/SubDomain.pm: get rid of warnings 2010-03-26 09:51:21 -04:00
Jamie Strandboge
f0b380fe5e add 'k' to /var/lib/samba/**.tdb in the samba abstraction 2010-03-25 18:13:00 -05:00
Steve Beattie
4e039d07f3 - Break out make targets so that distributors that don't want full docs 
can pick targets they want. Patch from Arkadiusz Miskiewicz <arekm at
  maven.pl>.

- Comment out debug dump of generate af_names.h
 2010-03-16 15:18:55 -07:00
Steve Beattie
b403bbdf82 Fix perl swig bindings so that libapparmor can be built when configured 
without perl. Thanks to Arkadiusz Miskiewicz <arekm at maven.pl>.
 2010-03-16 15:00:26 -07:00
Steve Beattie
8c7fea39d4 Expand parser stress test to included regexs and rlimit rules. 2010-03-15 11:31:38 -07:00
John Johansen
9efd526f6f Fix memory leak during dfa minimization. 
Dfa minimization wasn't deleting the states it eliminated during the
minimization process, and hence leaking memory.
 2010-03-13 02:23:23 -08:00
Steve Beattie
4ab92b62f5 Fix debug options so they don't go through the dfa engine, significantly 
speeding up the time to emit debugging information.
 2010-03-12 15:26:32 -08:00
Steve Beattie
bd1b72ad42 *whimper* last portiong of the strict-aliasing fix. 2010-03-12 15:20:22 -08:00
Steve Beattie
bccd45a22e Bah, managed to forget part of the last commit. The other half of fixing 
the strict-aliasing bit, the portion that I don't like.
 2010-03-12 15:16:06 -08:00
Steve Beattie
3b9b2158c1 Fix strict aliasing issue that triggered a bug in the parser_symtab unit 
tests. I don't like the solution because it exposes a data structure
definition outside of the only file that should know it's layout.

Also, fixed the Makefile to fail the build when one of the unit test
programs fails. :-(
 2010-03-12 14:41:58 -08:00
Steve Beattie
2a0df39961 Ease memory usage by collating rules in string form rather than as Rule 
objects. Add randomly generating profile flags.
 2010-03-12 03:05:25 -08:00
Steve Beattie
21875a520d Fix leaking file descriptors on included files. 2010-03-12 01:50:26 -08:00
John Johansen
6c23d48649 Bump versioning to AppArmor 2.5 2010-03-10 23:07:29 -08:00
Steve Beattie
4094043011 Fix up some testcase description fields 2010-03-10 21:38:10 -08:00
Steve Beattie
970807f01a Merge in stress test changes before ext4 eats them. 2010-03-10 21:09:15 -08:00
Steve Beattie
66286494a2 Resurrect another of the stress tests; it kinda works, though it requires 
killall-ing a few things in order to make it stop. And alas, it does seem
to eventually cause kernel hangs with 2.6.32-16. (Committing now before ext4
eats my changes and brain.)
 2010-03-10 20:56:47 -08:00
Steve Beattie
140495fe64 Make kernel stress tests work again (kill.sh works at least) 2010-03-10 17:56:51 -08:00
John Johansen
04a872f927 Add some new profile flag tests to validate parsing of the new flags 
controlling nameresolution.
 2010-03-10 17:00:24 -08:00
Steve Beattie
60f6153446 Fixup parser stress test to work with modern parser args.. 2010-03-10 16:11:39 -08:00
John Johansen
e2737566ff Fix genprof/logprof to handle create (c) and delete (d) permissions that 
are being reported by the kernel modules auditing.
 2010-03-10 15:30:06 -08:00
Jamie Strandboge
dd3a979827 apparmor_notify: call getopt and check for -h before trying to open audit.log, 
so help can be used as non-root when auditd is installed
 2010-03-10 10:11:26 -06:00
Steve Beattie
69d59f80ed Don't (un)load flattened hats on removal, as the kernel pulls them out 
automatically (and the parser emits an error due to this).
 2010-03-09 01:38:12 -08:00
Steve Beattie
ebe59ca483 Add a simple 'cx' mode testcase. I *think* I'm specifying it correctly. 2010-03-08 22:28:22 -08:00