apparmor

mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00

Author	SHA1	Message	Date
Héctor Orón Martínez	26431478a6	apparmor: support usrmerge Allow binaries in /bin to run from /usr/bin as well. For more information on usrmerge, see https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/ Signed-off-by: Héctor Orón Martínez <hector.oron@collabora.co.uk>	2017-12-09 23:56:58 +01:00
intrigeri	dcefc1baa4	Update ubuntu-email abstraction for new Thunderbird executable path See merge request apparmor/apparmor!32 Signed-off-by: Vincas Dargis <vindrg@gmail.com> Acked-By: intrigeri <intrigeri@boum.org>	2017-12-07 17:06:09 +00:00
Vincas Dargis	7546413b43	Update abstraction for new Thunderbird executable path * Add -bin suffix to reach new Thunderbird executable.	2017-12-07 16:41:10 +00:00
Jamie Strandboge	c69acb81c9	Merge branch 'update-fonts-abstraction' into 'master' abstractions/fonts: also allow owner read on ~/.local/share/fonts See merge request apparmor/apparmor!31	2017-12-06 13:55:14 +00:00
Jamie Strandboge	c4a5e1d554	abstractions/fonts: also allow owner read on ~/.local/share/fonts The fonts abstraction had owner rules for ~/.fonts, but the current standard location[1][2] in XDG_DATA_HOME was missing. [1]https://cgit.freedesktop.org/fontconfig/commit/?id=8c255fb1 [2]https://lists.freedesktop.org/archives/fontconfig/2014-July/005270.html	2017-12-05 15:49:55 -06:00
Tyler Hicks	debc4e3ffe	Merge branch 'exit-from-Makefile-shell-snippets' into 'master' binutils, parser, utils: Exit from Makefile shell snippets See merge request apparmor/apparmor!27 Acked-by: Christian Boltz <apparmor@cboltz.de>	2017-12-05 17:44:48 +00:00
Tyler Hicks	4b72ba29ed	Merge branch 'utils-check-depends-on-parser' into 'master' Utils check depends on parser See merge request apparmor/apparmor!25 Acked-by: Christian Boltz <apparmor@cboltz.de>	2017-12-05 17:39:07 +00:00
Tyler Hicks	2c04f44a80	binutils, parser, utils: Exit from Makefile shell snippets Exit rather than returning from shell snippets in Makefiles. It is reported that returning causes the following error message with bash: /bin/sh: line 4: return: can only `return' from a function or sourced script Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Christian Boltz <apparmor@cboltz.de>	2017-12-04 23:28:10 +00:00
Tyler Hicks	5bdacd2432	README: Document that the parser should be built before the utils The utils have tests that rely on the in-tree parser to be built so it should be documented that the parser should be built first. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	2017-12-04 23:10:03 +00:00
Tyler Hicks	20e7f523ca	utils: Gracefully handle a missing parser in the check target The test-aa-easyprof.py script relies on the parser to be built so the check target of the utils/test/Makefile should detect if the parser exists before running any tests. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Christian Boltz <apparmor@cboltz.de>	2017-12-04 23:10:03 +00:00
Steve Beattie	ca983811fb	dovecot: allow capability dac_read_search Merge branch 'cboltz-dovecot-caps' into 'master' See merge request https://gitlab.com/apparmor/apparmor/merge_requests/16	2017-12-01 20:40:29 +00:00
Steve Beattie	a1bad3a293	Ignore untranslated texts in check_po.pl Merge branch 'cboltz-check_po' into 'master' See merge request https://gitlab.com/apparmor/apparmor/merge_requests/15	2017-12-01 19:52:55 +00:00
Christian Boltz	3d40bc6f23	Merge branch 'cboltz-remove-unknown-newline' into 'master' Don't print a literal '\n' in aa-remove-unknown help See merge request apparmor/apparmor!21 Acked-by: Tyler Hicks tyhicks@canonical.com for 2.9..trunk	2017-12-01 10:09:28 +00:00
Christian Boltz	4d4228d157	Don't print a literal '\n' in aa-remove-unknown help	2017-12-01 00:26:56 +01:00
Steve Beattie	2aabf0c0f0	Update Java abstraction for version 8 and 9 Merge branch 'update-java' into 'master' I have discovered denies on Debian Sid by Thunderbird being unable to load IcedTead plugin upon profile creation (can be reproduced by deleteing/moving `$HOME/.thunderbird` directory). Additionally, profile was tested with (modified) `usr.lib.firefox.firefox` and made it run some random IcedTea applet successfully [0]. There are still denies for `/usr/bin/logger`, but I left this for later patches. Please note that path to Java 9 binary is different that to previous versions. Relevant DENIED messages: ``` type=AVC msg=audit(1511099962.556:810): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so" pid=5186 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 type=SYSCALL msg=audit(1511099962.556:810): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=296bc8 a2=5 a3=802 items=0 ppid=1541 pid=5186 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null) type=PROCTITLE msg=audit(1511099962.556:810): proctitle="/usr/lib/thunderbird/thunderbird" ``` ``` type=AVC msg=audit(1511100105.471:1018): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-debug-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1511100105.471:1018): arch=c000003e syscall=2 success=no exit=-13 a0=7f3638000cb0 a1=0 a2=1b6 a3=7f36ae502620 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null) type=PROCTITLE msg=audit(1511100105.471:1018): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370 ``` ``` type=AVC msg=audit(1511100105.471:1019): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1511100105.471:1019): arch=c000003e syscall=2 success=no exit=-13 a0=7f36a822bdc0 a1=0 a2=1b6 a3=10002ae08 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null) type=PROCTITLE msg=audit(1511100105.471:1019): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370 ``` ``` type=AVC msg=audit(1511100221.153:1132): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-JY8Sat/6405-icedteanp-appletviewer-to-plugin" pid=6414 comm="java" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1511100221.153:1132): arch=c000003e syscall=2 success=no exit=-13 a0=7f20e025e280 a1=241 a2=1b6 a3=10002ae08 items=0 ppid=6405 pid=6414 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null) type=PROCTITLE msg=audit(1511100221.153:1132): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370 ``` [0] https://centra.tecnico.ulisboa.pt/~amaro/Spline3D.html See merge request https://gitlab.com/apparmor/apparmor/merge_requests/13/	2017-11-29 23:41:42 +00:00
Christian Boltz	014695786c	Merge branch 'cboltz-gitignore' into 'master' .gitignore: add several libapparmor *.o files See merge request apparmor/apparmor!18 Acked-by: Tyler Hicks <tyhicks@canonical.com>	2017-11-28 22:08:00 +00:00
Christian Boltz	794d1c4a07	Merge branch 'cboltz-double-read-inactive' into 'master' Let read_inactive_profiles() do nothing when calling it the second time See merge request apparmor/apparmor!17	2017-11-28 21:55:17 +00:00
Christian Boltz	d7ffc37011	.gitignore: add several libapparmor *.o files	2017-11-28 22:49:53 +01:00
Christian Boltz	b307e535fa	Let read_inactive_profiles() do nothing when calling it the second time autodep() calls read_inactive_profiles() each time it's called (= for each binary). The result is a "Conflicting profile" error (showing the same filename twice) if autodep() runs more than once. This can easily happen when using "aa-autodep /usr/bin/*". This patch adds an attribute to read_inactive_profiles() that lets the function return without doing anything if was called before.	2017-11-28 21:46:36 +01:00
Christian Boltz	4ef505a6e7	dovecot: allow capability dac_read_search This is needed for /var/spool/postfix/private/ (postfix:root 700) References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c9	2017-11-28 18:47:26 +01:00
Christian Boltz	455489c9fe	Ignore untranslated texts in check_po.pl check_po.pl lists lots of false positives saying that msgstr "" does not have the (h)otkey translated. This patch whitelists those untranslated strings. I also tested (by manually "breaking" a translation) that missing hotkeys still get noticed. This bug probably exists since forever, therefore I propose this patch for 2.9..trunk. (OTOH, nobody noticed it, so maybe trunk is enough ;-) Note: I still get a few false positives for ru.po (no idea why, similar texts in the other languages don't cause this) - ideas and fixes welcome.	2017-11-27 23:47:52 +01:00
Christian Boltz	42bd81df01	Merge branch 'cboltz-dovecot-auth' into 'master' allow dac_read_search and dac_override for dovecot/auth See merge request apparmor/apparmor!14 Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk	2017-11-27 21:36:30 +00:00
Christian Boltz	6f6b3c57fb	allow dac_read_search and dac_override for dovecot/auth This is needed for: - /var/spool/postfix/private/ (postfix:root 700) -> dac_read_search - /run/dovecot/auth-worker (dovecot:root 600) -> dac_override References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470	2017-11-26 16:38:06 +01:00
Vincas Dargis	d662c2be72	Update Java abstraction for version 8 and up * Alter paths to allow Java version 8 and up. * Add file rules to fix IcedTea browser plugin. * Refactor to keep path consistensy against parent and child profile, reduce repetitive rules.	2017-11-25 16:04:24 +02:00
Christian Boltz	4b8b08562a	Merge branch 'patch-1' into 'master' Allow to read pulseaudio config subdirectories See merge request apparmor/apparmor!12 Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9, 2.10, 2.11 and trunk	2017-11-18 17:24:24 +00:00
Vincas Dargis	9658471d38	Allow to read pulseaudio config subdirectories Fixes denied "/etc/pulse/client.conf.d/00-disable-autospawn.conf" read on Debian Sid	2017-11-18 14:20:07 +00:00
Christian Boltz	852d26de6c	Merge branch 'utils_save_profiles' into 'master' utils: fix and improve "save profiles" See merge request apparmor/apparmor!10 Acked-by: Tyler Hicks <tyhicks@canonical.com> for master and 2.11	2017-11-14 20:03:15 +00:00
Christian Boltz	051be5dec0	Remember selected profile in save_profiles() After using "view changes", the selection got reset to the first changed profile. This could mislead the user into saving the wrong profile. This patch ensures the selection is kept. I propose this patch for trunk and 2.11. (2.11 will need different indentation again.) I'm not sure if we should also apply this in 2.10 and 2.9 - they have the same behaviour, but OTOH I'm not sure if changing behaviour (even if it's an improvement) in those old releases is a good idea. Opinions?	2017-11-12 20:23:30 +01:00
Christian Boltz	fe1fb7caa3	Fix sorted() regression in save_profiles() The last change in save_profiles() sorted() the order in which the changed profiles get displayed. However, it did not honor the sorting when displaying changes or saving the selected profile, leading to the wrong profile displayed or saved. This patch fixes picking the selected profile, and at the same time replaces the duplicated code for doing this with a single instance. I propose this patch for trunk and 2.11. Note that the 2.11 branch needs a slightly different patch (different indentation). Also note that this regression made it into 2.11.1, so distributions shipping 2.11.1 should add this patch.	2017-11-12 20:22:49 +01:00
Christian Boltz	21bc71e576	Merge branch 'google-chrome-unstable' into 'master' ubuntu-browsers, ubuntu-helpers: add support for Google Chrome unstable (LP: #1730536). See merge request apparmor/apparmor!9 Acked-by: Christian Boltz <apparmor@cboltz.de>	2017-11-12 18:41:18 +00:00
intrigeri	2b02d7df83	ubuntu-browsers, ubuntu-helpers: add support for Google Chrome unstable (LP: #1730536 ).	2017-11-12 13:39:54 +00:00
John Johansen	543a6a6fed	Merge branch 'google-chrome-beta' into 'master' ubuntu-browsers, ubuntu-helpers: add support for Google Chrome beta See merge request apparmor/apparmor!7 Acked-by: John Johansen <john@jjmx.net>	2017-11-05 19:13:34 +00:00
intrigeri	92752f56da	ubuntu-browsers, ubuntu-helpers: add support for Google Chrome beta Bug-Debian: https://bugs.debian.org/880923	2017-11-05 18:55:23 +00:00
John Johansen	745aa4d342	Merge branch 'regression-test-warnings' into 'master' Fix regression test build warnings See merge request apparmor/apparmor!2 Acked-by: John Johansen <john@jjmx.net>	2017-11-03 20:57:47 +00:00
Tyler Hicks	aa05cbdd1e	Fix regression test build warnings	2017-11-03 20:57:46 +00:00
John Johansen	ddbf6c24bb	Merge branch 'cscope' into 'master' gitignore: Add cscope files to ignored list See merge request apparmor/apparmor!3	2017-11-03 20:51:32 +00:00
John Johansen	51764eda98	Merge branch 'unref-errno' into 'master' libapparmor: Preserve errno across aa_*_unref() functions See merge request apparmor/apparmor!6 Acked-by: John Johansen <john@jjmx.net>	2017-11-03 20:36:40 +00:00
John Johansen	59a5bc088c	Merge branch 'kernel-interface-man-typos' into 'master' libapparmor: Fix typos in aa_kernel_interface(3) man page See merge request apparmor/apparmor!5	2017-11-03 20:20:42 +00:00
Tyler Hicks	b813beeb1b	libapparmor: Fix typos in aa_kernel_interface(3) man page The RETURN VALUE section contained two typos where "kernel_features" was used instead of "kernel_interface". Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	2017-11-03 15:38:54 +00:00
Tyler Hicks	7fad3512f0	libapparmor: Preserve errno across aa__unref() functions Callers of aa_features_unref(), aa_kernel_interface_unref(), and aa_policy_cache_unref() had to store off errno and restore it after calling those functions in error paths. This patch preserves errno across those _unref() functions so that callers don't have to. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	2017-11-03 15:34:26 +00:00
Tyler Hicks	29c5c6b621	gitignore: Add cscope files to ignored list Ignoring cscope.* files allows users of cscope to not be bothered by `git status` reporting that an unknown file is in the source tree. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	2017-11-02 16:40:09 +00:00
Seth Arnold	56394f8def	Merge branch 'make-variable' into 'master' all: Use the MAKE variable See merge request apparmor/apparmor!1	2017-11-02 00:38:48 +00:00
Tyler Hicks	19c6c3310b	all: Use the MAKE variable https://www.gnu.org/software/make/manual/html_node/MAKE-Variable.html We should be using the $(MAKE) variable when calling the make command from Makefiles since we use Makefile recursion. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	2017-11-01 23:22:53 +00:00
Steve Beattie	29b20fd688	git conversion: move .bzrignore to .gitignore Signed-off-by: Steve Beattie <steve.beattie@canonical.com>	2017-10-27 22:46:03 -07:00
Steve Beattie	df0f20f32b	parser+libapparmor: partially address issues building with musl adjust macros and header inclusion to make progress on building with the musl C library. Acked-by: Steve Beattie <steve@nxnw.org>	2017-10-27 17:12:24 -07:00
Steve Beattie	c4a4e5bb82	profiles: add attach_disconnected flags to example apache profile Without it, seeing rejections like: apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875892	2017-10-27 10:59:33 -07:00
Steve Beattie	d2f7f21b04	profiles: update wireshark profile for modern releases Acked-by: Steve Beattie <steve@nxnw.org>	2017-10-26 16:58:26 -07:00
John Johansen	eab153a7e9	Bump version 2.11.95 for 2.12 beta Signed-off-by: John Johansen <john.johansen@canonical.com>	2017-10-26 10:50:19 -07:00
Steve Beattie	f737cc3444	profiles: allow OpenAL HRTF support in audio abstraction The files are "head-related transfer function" data sets, used by OpenAL for better spatialization of sounds when headphones are detected. Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665	2017-10-26 10:18:58 -07:00
Christian Boltz	7aeebcbb60	Keep JSON version at 2.12 We never did a release with the JSON code, and YaST (the only known user of the JSON interface) will work with the added 'changes' dialog type from r3721 without needing changes. Also add a better comment/reason why a response for 'changes' is expected, but gets ignored. Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Acked-by: Steve Beattie <steve@nxnw.org>	2017-10-26 18:49:32 +02:00

1 2 3 4 5 ...

4210 commits