Adapted from https://nordisch.org/posts/php-fpm-apparmor/, port the
nextcloud-independent portion of the php-fpm worker abstractions and
php-fpm isolation for more general usage.
Signed-off-by: Antonio Russo <antonio.e.russo@gmail.com>
utils `make check_severity_db` will fail the build if a (probably new)
capability in not listed in severity.db. This also means it should print
out an ERROR, not a warning.
This is a follow-up of lp#1890547 and
https://gitlab.com/apparmor/apparmor/-/merge_requests/589
Nobody told the tools that log events with operation="symlink" exist. Add this keyword to the list of file or network operations (I don't expect network symlinks ;-) but keeping everything in that list makes things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/107
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/587
Acked-by: John Johansen <john.johansen@canonical.com>
Nobody told the tools that log events with operation="symlink" exist.
Add this keyword to the list of file or network operations (I don't
expect network symlinks ;-) but keeping everything in that list makes
things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/107
The fixes that landed for #98 are incomplete: they only added a check to
ensure that the parser is built, and not libapparmor as well, and also
didn't adjust the invocation of aa-logprof to actually make use of the
built libapparmor or its swig python library.
Furthermore, neither it nor the tests in utils/ add the location of the
swig libapparmor C library to the library search path, meaning that if
the system one does not exist, it will not be found and the test will
fail.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
Similar to the profiles/ check using the python utilities, the
tests for the python utilities were not including the path for the
swig libapparmor library in the LD_LIBRARY_PATH variable, only in
PYTHONPATH. This commit fixes that, renaming the variable used for
the built libapparmor check.
v2:
- actually use the LIBAPPARMOR_PATH variable when defining
LD_LIBRARY_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The commit c8b6d8b393 ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
When running the 'check-logprof' test using tools in the tree,
libapparmor needs to have been built for the python utilities to work.
Add a check for its existence to the test-dependencies target.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The "local" make target does not depend on the parser having been
built. Create a separate "test-dependencies" target and have the tests
that need them depend on that and the "local" target, when validating
the profile set against the apparmor tools.
Fixes: c8b6d8b393
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The authentication, base and nameservice abstraction used /{usr/,}etc/
in several rules. Switch that to the more readable (and tunable)
@{etc_ro} variable.
Add a couple of bitmap renderings of the logo for convenience
128x128 pixel rendering of the logo
700x700 pixel rendering of the logo
Signed-off-by: John Johansen <john.johansen@canonical.com>
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The hashing of the featue set is wrong because it is hashing the
whole feature structure instead of just the feature string.
This results in the refcount and hash field becoming part of the
hash and the feature string not being completely hashed as the
bytes of the refcount and hash field are being counted in the
as part of the string length when the hash is taken.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/583
Reported-by: Samuele Pedroni <samuele.pedroni@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
This adds support for the new PERFMON, and BPF capabilities.
In addition this updates AppArmor's handling in several ways.
* Move to a static capability list that is compared to the automatically generated capability list, and fail the build if new capabilities are detected. This is required to ensure backwards mapping of capabilities is properly handled.
* allow an already built apparmor to dynamically detect any new additions of capabilities so a release patch doesn't need to be made to support new capabilities. This however will be missing support for backwards mapping of capabilities
* support backwards mapping of new capabilities that have been split of existing capabilities for older kernels (eg. CAP_PERFMON was split off of CAP_SYS_ADMIN)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/578
Acked-by: Seth Arnold <seth.arnold@canonical.com>
If a capability is known in policy but not by the kernel, check to see if it has
a backwards mapping to a different capability and use that instead.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The kernel and policy abis can be used to detect and support new
capabilities without having to update base_cap_names.h and and
rebuilding the compiler.
This is not perfect however in that the does not provide any backwards
compatibility mappings, so we still need to keep the internal
capability table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently features doesn't provide a way to query a features
value. So add an api to extract the value string of a feature.
The value string returned is a raw text value and may contain
leading spaces, etc that the caller may need to be aware of.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We need to be able to dynamically add capabilities to the capability
list so switch to using a dynamically allocated table that we can
extend.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We need a set of flags to track where a capability can from so we know
how to processes it for policy compatibility purposes.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some capabilities like perfmon and bpf have been split out from
another capability, likely cap sys_admin. Add this backmapping
infomation so that the parser can take advantage of it to support
policy on older kernels that don't support the new capabilities.
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are currently two capability name tables the one that is
autogenerated and an internal hardcoded name table.
Now that the autogenerated table has been converted to a base
static table we can drop the internal static table. This
removes the chance of getting the tables getting out of sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The static cap sys_log declaration is no longer needed as
base_cap_names.h contains it and ensures that it will always be
present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The auto-generated cap_names.h has problems when the parser if the
parser is built against a kernel with a smaller capability list than
the kernel policy is being compiled for.
Moving to a pre-generated list lets us support all capabilities even
when we build against older kernels. However we don't want to only use
the pre-generated list as that would make it too easy to miss when a
new capability has been added.
Keep auto generating the caps list and compare it to the pre-generated
caps list so we can detect when new capabilities are added, and fail
the build so that the pre-generated list can be updated. We screen the
diff for only additions so that the parser can continue to build on
older kernels that don't have the full capability list without errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Mikhail Morfikov has discovered [0] that some font packages in Debian
ships font files in /usr/bin/fonts-foo-bar (like
/usr/share/fonts-font-awesome/ for example). This produces denials for
GUI applications.
Update fonts abstraction to allow reading /usr/bin/fonts-* directories.
Also, refactor abstraction to aggregate two old rules into one.
Closes#94
[0] https://gitlab.com/apparmor/apparmor/-/issues/94
When aa-autodep or aa-genprof create a new profile, always add an abi rule. (Hardcoded to <abi/3.0> for now to keep things simple.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/571
Acked-by: John Johansen <john.johansen@canonical.com>
This fixes a regression introduced by the abi patches for policy that
is not tagged with an abi rule.
Specifically if the current apparmor (apparmor 3) is used with a
kernel that supports unix rules, and policy has network rules but has
not been updated to use abi rules, without this patch the policy unix
rules will stop working and unix mediation will not be enforced.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/568
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
The lexer is broken and passing echo input to stdout that it doesn't match in some states ignoring the error.
First add `%option nodefault` to guarantee the lexer won't ever echo the unknown input to stdout, this will cause the parser to error out with
```
flex scanner jammed
```
and $?=2 if a profile contains unknown/invalid parts. That's not really a helpful error message, but still better than ignoring errors.
Next improve the error message output,
```
AppArmor parser error for tst/simple_tests//vars/vars_simple_assignment_14.sd line 8: Lexer found unexpected character: '
' (0xa) in state: SUB_ID_WS
```
using flex's error output only if there is an mistake made when introducing new states.
Finally fix bugs that are found.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Acked-by: Steve Beattie <steve.beattie@canonical.com>
* allow reading my.cnf in dovecot-dict profile (seen with the mail users in a mysql database)
* allow /proc/\*/attr/current in dovecot imap and lmtp (needed when using the "apparmor" plugin which means dovecot switches to user-specific hats)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/566
Acked-by: John Johansen <john.johansen@canonical.com>
Newlines should generally be treated as whitespace. Expand the list
of states using the newline rule to include almost all rules that
eat WS.
There are two exceptions assign and comment which have special handling
of newlines.
this fixes the failures
not ok 71543 - ./simple_tests//vars/vars_simple_assignment_13.sd: quoted commas should not trigger an error
not ok 71544 - ./simple_tests//vars/vars_simple_assignment_14.sd: quoted commas should not trigger an error
found by introducing nodefault
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
