The log parsing in the Immunix::AppArmor perl module has fallen behind
when it comes to audit events from some of the newer rule types
supported by apparmor_parser.
When an unsupported event is found, it causes aa-logprof to error out.
This patch creates a list of valid, but unsupported, event operations
that should be ignored by the perl module when parsing logs.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The profile parsing in the Immunix::AppArmor perl module has fallen
behind when it comes to some of the newer rule types and syntax
supported by apparmor_parser.
When an unsupported rule is found, it causes aa-logprof and aa-genprof
to error out. This patch creates a list of valid, but unsupported rule
types that should be ignored by the perl module when parsing policy.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Patch by Kshitij Gupta <kgupta8592@gmail.com>
A previous bugreport [1] was fixed using the smartmatch operator,
which raised the minimum Perl version requirement to >=5.10.1 .
However in Perl5.18 the smartmatch operator has again become
"experimental" [2] so the following patch replace smartmatch operator
with grep and thereby avoiding the requirement hike and avoiding
warnings.
[1] https://bugs.launchpad.net/apparmor/+bug/1180230
[2] http://blogs.perl.org/users/mike_b/2013/06/a-little-nicer-way-to-use-smartmatch-on-perl-518.html
ACKed-by: Christian Boltz <apparmor@cboltz.de>
/etc/apparmor/profiles/extras/, and update the path at various places.
Also update the mailinglist address in extra-profiles README and
recommend cp instead of mv.
Note: if you want to have a symlink
/etc/apparmor/profiles/extras -> /usr/share/apparmor/extra-profiles/
for backward compability, you'll have to create it yourself (for example
in the .spec file)
This also fixes https://bugzilla.novell.com/show_bug.cgi?id=713647
Acked-by: John Johansen <john.johansen@canonical.com>
When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.
This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.
Bug: https://launchpad.net/bugs/982619
This patch calls autodep on the 'exec'ed binary when the user selects
to place that execution in a child profile. Previously, logprof would
create an entirely empty child profile in complain mode (this fix
still leaves the child profile in complain mode).
This patch fixes a couple of issue with autodep:
1) The initial profile construction had not been adjusted to include
the 'allow' or 'deny' hash prefixing the path elements. This
fixes it by eliminating the path portion entirely and pushing
the path based accesses to the later analysis section of code.
2) the mode of the original binary was accidentally getting reset
to 0, when it was intended to initialize the audit field to 0.
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Resolved merge conflict and removal operation already supported by
the log parser.
Acked-by: John Johansen <john.johansen@canonical.com>
instead.
Needed at least on upgraded Ubuntu machines that went from messages to
syslog recently. If this causes problems, we can easily revert it.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
the modifiers as lowercase (meaning to pass on sensitive environment
variables to the exec'ed process) even if the user told them not to
when prompted. This patch fixes the issue.
Subject: apparmor-utils: Fix handling of files in /
References: bnc#397883
The separate handling of files and directories with realpath is broken.
For files e.g. /foo, $dir ends up being empty since the / is eaten by
the regex. realpath resolves an empty argument as the current directory,
resulting in an incorrect path.
There's no explanation of why the separate handling was used in the
first place.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Add check_for_apparmor helper.
This should be an alias but those get complicated quickly in perl.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: setprofileflags() drops leading whitespace
References: bnc#480795
setprofileflags() drops leading whitespace for subprofiles. writeheader()
properly indents subprofiles 2 spaces per nesting level but when
genprof sets the profile to enforce mode at completion, the whitespace
is removed.
This patch adds the whitespace globbing to the regexp and uses it to
prefix the sub-profile with the correct spacing.
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/707092
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
[Note that the second half of the OpenSUSE patch had already been applied.]
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
This patch fixes a logprof bug where when profiles with variable
declarations at the top level (not hidden in an include) were written
back to a file, a trailing comma was being added to the declaration
statement, which is invalid apparmor policy syntax. This patch corrects
this and no longer adds the trailing comma.
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/706733
"SubDomain" in some way. This leaves only "subdomain.conf" and the
function names internally.
Additionally, I added a "make check" rule to the utils/Makefile to do a
simple "perl -c" sanity check just for good measure.
