Use nvidia_modprobe named profile inside opencl-nvidia abstraction
Commit 8f9bd5b0 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b1 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
I propose this for 2.13..master (opencl* are only available in 2.13...). Please check if nvidia_modprobe is already backported.
https://gitlab.com/apparmor/apparmor/merge_requests/219
Acked-by: John Johansen <john.johansen@canonical.com>
aa-notify: Read user's configuration file from XDG_CONFIG_HOME
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise $XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to ~/.config/apparmor/notify.conf, is used.
See merge request https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 nl6720@gmail.com
Acked-by: John Johansen <john.johansen@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
Commit 8f9bd5b0e3 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b151 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
Signed-off-by: nl6720 <nl6720@gmail.com>
test-libapparmor-test_multi.py: test for known-empty log
Add a check to logfile_to_profile() that checks the parsed log against a
list of input logs (log_to_profile_known_empty_log) that produce an
empty output.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/214
Acked-by: John Johansen <john.johansen@canonical.com>
Add nvidia_modprobe named profile
nvidia-modprobe is setuid executable is used to create various device
files and load the the NVIDIA kernel module
(https://github.com/NVIDIA/nvidia-modprobe).
Add named profile to be used in application profiles for confining
potentially risky setuid application.
I propose this to 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/213
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
Add basic support for abi rules to the tools
Add basic support for abi rules to the tools
Add basic "understand and keep" support for abi rules, where "understand" means to not error out when seeing an abi rule, and "keep" simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules), but for now, this patch is the smallest possible changeset and easy to backport.
Note that the only added test is via cleanprof_test.* which is used by minitools_test.py - and does not run if you do a 'make check'. Oh, and of course the simple_tests/abi/ files also get parsed by test-parser-simple-tests.py.
Also note that serialize_profile_from_old_profile() (which no longer exists in master, "only" in <= 2.13) would in theory also need support for abi rules. In practise, making this another case of "serialize_profile_from_old_profile() has known issues" is probably fine, but we should at least test that "(V)iew changes" doesn't break if an abi rule is present.
I propose this patch for 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/202
Acked-by: John Johansen <john.johansen@canonical.com>
nvidia-modprobe is setuid executable is used to create various device
files and load the the NVIDIA kernel module
(https://github.com/NVIDIA/nvidia-modprobe).
Add named profile to be used in application profiles for confining
potentially risky setuid application.
Add a check to logfile_to_profile() that checks the parsed log against a
list of input logs (log_to_profile_known_empty_log) that produce an
empty output.
The function was messing up its use of fds, it could get away with
it because the cb_dirfd passed to fdopendir was still valid until
closedir was called but if code was moved around, or fdopendir
code changed behavior it could easily break.
Also the check for dup failing was wrong fix it.
Reference: coverity #187003
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
Include qt5 into kde abstraction
See merge request apparmor/apparmor!209
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and backporting to 2.10..2.13 (as soon as the qt5 abstraction is backported)
Currently, kde abstraction has rules relevant to Qt 3 and Qt 4
libraries, but are missing rules against latest Qt 5.
Include read-only Qt 5 abstraction to fix styling and similar issues for
software running on KDE 5 desktop.
Fixes https://bugs.launchpad.net/apparmor/+bug/1787201
Add uid and uids kernel var placeholders
Add @{uid} and @{uids} variables to allow migrating profiles in advance while awaiting path mediation implementation, based on current user id, in kernel side.
See merge request apparmor/apparmor!208
Acked-by: John Johansen <john.johansen@canonical.com>
Add @{uid} and @{uids} variables to allow migrating profiles in advance
while awaiting path mediation implementation, based on current user id,
in kernel side.
gio-launch-desktop helper tries to execute /usr/bin/thunderbird wrapper
script, not the /usr/lib/thunderbird... directly.
Add rule allowing to execute /usr/bin/thunderbird.
Harden abstractions
Harden abstractions
remove antiquated abstractions/launchpad-integration
abstractions/opencl-nvidia: don't allow PUx on nvidia-modprobe
abstractions/private-files-strict: disallow access to the dirs of private files
abstractions/private-files: disallow writes to thumbnailer dir (LP: #1788929)
ubuntu-browsers.d/user-files: disallow access to the dirs of private files
Nominating launchpad-integration and opencl-nvidia for 2.13. Nominating private-files-strict, private-files and user-files for 2.10 and higher
See merge request apparmor/apparmor!203
Acked-by: John Johansen <john.johansen@canonical.com>
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
Also note that serialize_profile_from_old_profile() (which no longer
exists in master, "only" in <= 2.13) would in theory also need support
for abi rules. In practise, making this another case of
"serialize_profile_from_old_profile() has known issues" is probably
fine, but we should at least test that "(V)iew changes" doesn't break if
an abi rule is present.
This reverts commit ab7459ed40.
This commit was meant to go to a branch to setup a merge request in
gitlab. Revert until the commit has gone through the regular review
process.
Signed-off-by: John Johansen <john.johansen@canonical.com>
make simple.pl / parser make check output more useful
Instead of printing the (useless) numbers of no-longer-failing tests
marked as TODO, let prove print out the actual test names.
A side effect is that really unfixed TODOs and disabled tests get
printed (lists about 10 tests), but that's much better than having to
hunt down the no-longer-failing TODOs.
This change will print out lines like (the first one is still a TODO,
the second one got fixed at some time)
not ok 71447 - TODO: ./simple_tests//vars/vars_profile_name_13.sd: reference variables that are the profile name and attachment # TODO Unfixed testcase.
ok 71448 - TODO: ./simple_tests//vars/vars_profile_name_14.sd: reference variables in rules that also have alternations # TODO Unfixed testcase.
before printing the test summary.
I propose this patch for master and (optionally) the maintained branches.
See merge request apparmor/apparmor!194
Acked-by: John Johansen <john.johansen@canonical.com>
Instead of printing the (useless) numbers of no-longer-failing tests
marked as TODO, let `prove` print out the actual test names.
A side effect is that really unfixed TODOs and disabled tests get
printed (lists about 10 tests), but that's much better than having to
hunt down the no-longer-failing TODOs.
This change will print out lines like (the first one is still a TODO,
the second one got fixed at some time)
```
not ok 71447 - TODO: ./simple_tests//vars/vars_profile_name_13.sd: reference variables that are the profile name and attachment # TODO Unfixed testcase.
ok 71448 - TODO: ./simple_tests//vars/vars_profile_name_14.sd: reference variables in rules that also have alternations # TODO Unfixed testcase.
```
before printing the test summary.
usr.sbin.dnsmasq: add paths for NetworkManager connection sharing
dnsmasq needs to access additional paths when used for connection sharing by NetworkManager.
Additionally it needs read permissions to /usr/share/dnsmasq/trust-anchors.conf which contains the DNSSEC trust anchors.
See merge request apparmor/apparmor!193
Acked-by: John Johansen <john.johansen@canonical.com>
Add qt5 writing abstractions
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
Relevant denies discovered with KDE Dragon Player:
/var/log/audit/audit.log.1:type=AVC msg=audit(1533485161.999:981): apparmor="DENIED" operation="mknod" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.lock" pid=29911 comm="dragon" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1533486419.266:1141): apparmor="DENIED" operation="file_lock" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.lock" pid=30406 comm="dragon" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
/var/log/audit/audit.log.1:type=AVC msg=audit(1533485206.575:1006): apparmor="DENIED" operation="link" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.Gflpds" pid=29946 comm="dragon" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/vincas/.config/#12982163"
In addition, added new qt-compose-cache-write abstraction as some applications wants to write compose cache. qt5 abstraction is appended with read-only rule (that's enough for LibreOffice using KDE file dialog).
See merge request apparmor/apparmor!159
Acked-by: John Johansen <john.johansen@canonical.com>
use empty parser/tst/parser.conf in all parser and profile tests
See merge request apparmor/apparmor!191
Without this, the system-wide parser.conf gets used, which causes test
failures if for example caching is enabled and the cache dir isn't
writeable for the user running the tests.
I propose this for all branches where the parser understands --config-file.
Acked-by: John Johansen <john.johansen@canonical.com>
Without this, the system-wide parser.conf gets used, which causes test
failures if for example caching is enabled and the cache dir isn't
writeable for the user running the tests.
add python3.7 to logprof.conf
See merge request apparmor/apparmor!190
add python3.7 to logprof.conf
I propose this patch for at least 2.12..master, maybe also 2.10 and 2.11 (even if it's unlikely that someone uses the latest python3 on a distro with old AppArmor)
Acked-by: John Johansen <john.johansen@canonical.com>
