This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
These are needed by e.g. AppImages
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1556
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
sbuild is an unconfined profile allowing it to bypass the unprivlieged
user namespace restriction.
unconfined profiles use a pix transition which means that when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calling unshare will cause a transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we cannot just add a x transition rule to unconfined profiles, as
the transitions won't be respected. Instead, we have to make the profile
a default allow profile and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1555
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.
unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a trivial fix for
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1543
instead of waiting longer for the auther to fix, the MR was merged
and this manual fixup done.
Fixes: dfe9d713f ("aa-logprof/aa-genprof: allow ignoring executions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
This manifested with chmod calls failing in autopkgtests of dbus and snapd.
Given the magnitude of regressions that might be caused by bugs in this profile, @alex_murray has suggested disabling the profile by default (i.e. moving it into `extras/`).
Reported-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1553
Approved-by: Alex Murray <alex.murray@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
This manifested with chmod calls failing in autopkgtests of dbus and snapd
Reported-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
```
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
```
Current behavior:
```
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
```
With patch:
```
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
```
I am quite new to the AA code base, so please let me know if I'm missing something obvious and this is intended behavior :)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1551
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The original plan was to have a minimal subset for Perl excluding the stuff requiring language-dependent typemaps, but it turns out that there was only one thing that required that, and it was simple enough to copy over from the SWIG repo itself. This MR contains the single non-language-generic part of the SWIG updates.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1341
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
Current behavior:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
With patch:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
This is the only language-dependent nontrivial portion of the SWIG
bindings, and this should be good enough for anyone who is still using the
Perl bindings now
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
When a test fails because of an unexpected success (XFAIL), do not display the empty error log as that may confuse the reader just as it had confused the author.
In addition, when something legitimately fails then display tail of trace log as that may show some useful information.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1548
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The the `attach_disconnectd` test is now passing on Ubuntu 24.04+.
The `posix_ipc` is passing everywhere.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1547
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This makes no sense since the test has passed and there's nothing to look at in the log.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
We should be using apparmor controlled domains for these files.
Rename the template file from
com.ubuntu.pkexec.aa-notify.policy
to
net.apparmor.pkexec.aa-notify.policy
And update the template file and the install file so that the files
that are generated use net.apparmor instead of com.ubuntu
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#486
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1541
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
We should be using apparmor controlled domains for these files.
Rename the template file from
com.ubuntu.pkexec.aa-notify.policy
to
net.apparmor.pkexec.aa-notify.policy
And update the template file and the install file so that the files
that are generated use net.apparmor instead of com.ubuntu
Signed-off-by: John Johansen <john.johansen@canonical.com>
Follow up from !1544 with the other basic variables.
Variables such as `@{rand6}` and `@{word6}` are very commonly used as they allow us to restrict access from rules such as: `/tmp/*`, `/tmp/??????`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1546
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#486
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1540
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
This PR only adds the digit `@{d}` and integer `@{int}` variables.
It provides two improvements from the use of the `[0-9]*` glob:
- security: the glob means "a digit followed by anything but `/`", whereas `@{int}` means "up to 10 digits"
Next to the
- stability: using glob in path with `x` can expose to path conflict, removing the glob fixed a lot of issues.
These variables are used by a lot of abstractions that could be upstream here from apparmor.d (PR will follow). It is an import from 33681e14f2/apparmor.d/tunables/multiarch.d/system where other similar variables are in use: `@{hex}`, `@{rand}`, `@{word}`, `@{u8}`, `@{u16}`, `@{u64}`, `@{int2}...@{int64}` ...
They also all could be upstreamed here.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1544
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Co-Author: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1539
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1542
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Changes include:
- using `long` instead of `intmax_t` for `pid_t` typemap (32-bit build failure); see commit message for more details
- specifying messages for `static_assert` declarations (required up until C23, was accepted as a compiler extension on the systems I had tested this on previously)
- removing label-followed-by-declaration instance (also a C23 feature supported as extension)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1536
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The documentation was missing information about path sanitization, and
why you shouldn't do a leading @{VAR} on path rules. While the example
doing this was fixed, actual information about why you shouldn't do
this was missing.
Document how apparmor will collapse consecutive / characters into a
single character for paths, except when this occurs at the start of
the path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1532
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
The message being optional is apparently a C23 thing that was available as an extension on the systems I tested on previously
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The previous code using intmax_t failed to build on armhf because
intmax_t was long long int instead of long int on that platform.
As to shrinking down to a long: not only does SWIG lack a
SWIG_AsVal_intmax_t, but aalogparse also assumes PIDs fit in a long
by storing them as unsigned longs in aa_log_record. Thus, we can
assume that sizeof(pid_t) <= sizeof(long) right now and deal with
the big headache that a change to pid_t would cause if it becomes
larger than a long in the future.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The documentation was missing information about path sanitization, and
why you shouldn't do a leading @{VAR} on path rules. While the example
doing this was fixed, actual information about why you shouldn't do
this was missing.
Document how apparmor will collapse consecutive / characters into a
single character for paths, except when this occurs at the start of
the path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1533
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
