write_include() was the only user of write_single(), and write_single()
had some include-specific code. This patch gets rid of write_single().
write_include() gets a simplified version of the code instead of calling
write_single().
tools: Mark profiles with multiple rules in one line as known-failing
See merge request apparmor/apparmor!61
Acked-by: John Johansen <john.johansen@canonical.com>
The tools don't support having multiple rules in one line (they expect
\n after each rule), therefore mark some of the bare_include_tests as
known failures.
console_select_and_upload_profiles() and set_profiles_local_only() both
use a local variable named 'profs'. Rename it to 'profiles'.
This is the first baby step for rewriting how aa.py stores the profiles
internally. I plan to use 'profs' as variable name instead of 'aa', and
this commit gets the result for "grep -r profs" down to 0.
Some of the regression tests are missing conditionals or have the
wrong conditionals so that they fail on current upstream kernels.
Fix this by adding and changing conditionals and requires where
appropriate. With the patches the tests report passing on 4.14 and
4.15 kernels.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time out
This is a minimal patch to add conditional includes to the profile
language.
The syntax for conditional includes is similar to regular includes
except with the addition of "if exists" after "include"
include if exists <foo/bar>
include if exists "foo/bar"
include if exists "/foo/bar"
include if exists foo/bar
Note: The patch is designed to be backportable with minimum
effort. Cleanups and code refactoring are planned for follow up
patches that won't be back ported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
includes were not handling WS in path names correctly. Allow WS within
quotes. Eg
include "foo bar"
include <"foo bar">
BugLink: http://bugs.launchpad.net/bugs/1738880
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/
See merge request apparmor/apparmor!57
Acked-by: John Johansen <john.johansen@canonical.com>
On current Debian sid it needs to read
/usr/share/dovecot/protocols.d/imapd.protocol, which is not surprising given it
already needed read access to /usr/share/dovecot/protocols.d/.
Install pam_apparmor.so with write permission for its owner.
See merge request apparmor/apparmor!56
Acked-by: John Johansen <john.johansen@canonical.com>
I could not find the reason why the upstream Makefile has been installing it
with permissions 555: this predates the migration from SVN.
Regardless, at least on Debian and derivatives, dh_fixperms has been
changing these permissions to 755 forever so it was causing problems,
likely we would know about it by now.
The initial motivation for this change is supporting rootless builds on Debian
and derivatives, also known as "Rules-Requires-Root: no":
- /usr/share/doc/dpkg-dev/rootless-builds.txt* on a Debian system
with a sufficiently recent dpkg-dev installed
- https://nthykier.wordpress.com/2017/10/29/building-packages-without-fakeroot/
- https://lists.debian.org/debian-devel/2017/10/msg00520.html
With this change applied upstream, Debian-based downstreams don't need to adjust
their debian/rules to make this work with "Rules-Requires-Root: no":
chrpath -d $(CURDIR)/debian/tmp/lib/security/pam_apparmor.so
This is needed by new versions of notify-send, as found on openSUSE
Tumbleweed. Without this, desktop notifications don't work anymore, and
notify-send starts to eat up CPU.
If DBUS_SESSION_BUS_ADDRESS is already set, it won't be changed.
This is a minimal patch so that it can be backported to 2.11 and 2.10
which reverts the abort on error failure when the cache can not be
created and write-cache is set.
This is meant as a temporary fix for
https://bugzilla.suse.com/show_bug.cgi?id=1069906https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
where the cache location is being mounted readonly and the cache
creation failure is causing policy to not be loaded. And the
thrown parser error to cause issues for openQA.
Note: A cache failure warning will be reported after the policy load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz apparmor@cboltz.de
(cherry picked from commit 42b68b65fe1861609ffe31e05be02a007d11ca1c)
This patch supports rolling a tarball for a release, as well as doing
'make tag'. Only stuff that's been committed should get incorporated
into the tarball.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.
sys_ptrace is "only" needed for tracing processes that run under a
different uid.
Also add ptrace (read), for systems that support ptrace rules.
For now we only allow quoted absolute paths without spaces in the name
due to:
- 1738877: include rules don't handle files with spaces in the name
- 1738879: include rules don't handle absolute paths without quotes in
some versions of parser
- 1738880: include rules don't handle relative paths in some versions of
the parser
