Extend common DebugLogger with option to log to stderr
See merge request apparmor/apparmor!325
Acked-by: Eric Chiang <ericchiang@google.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This makes it possible for e.g. command line tools to have the --debug
option and when invoked print the existing debug messages directly to
stderr so the user running the command can see them.
kde: fix global settings access for Kubuntu and openSUSE
See merge request apparmor/apparmor!322
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
Rewrite aa-decode to use inline Python as Perl is to be deprecated
See merge request apparmor/apparmor!321
Acked-by: Eric Chiang <ericchiang@google.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Defining 'stderr = subprocess.STDOUT' as a default value for function
did not work and the 'stderr' was always empty, thus also 'outerr' was
always empty and not standard error contents was ever considered in any
way.
Best in fact was to remove excess function arguments as they were not even
used and replace it with a simpler and less error prone structure.
Even after reading 'stderr' correctly it did not help much as all tests
used 'assertIn' which ignored excess output. Better replace the normal
output with the error output if there ever was something, since stderr
is most likely a serious thing and tests should stop on it.
- Add documentation stub for what the UI module is and how JSON works
- Make indentation consistent
- Use pythonic 'if' clauses
- Add two spaces after function definitions (Python style)
Exceptions are
- ubuntu-browsers (because we already have ubuntu-browsers.d with
different usage)
- ubuntu-helpers (which includes the sanitized_helper subprofile, so
adding something in the global area wouldn't make much sense)
Also adjust abstractions/postfix-common to use the style all
abstractions use.
Commit b5be596460 added ability to read
/usr/share/drirc.d/ directory to mesa abstraction.
This seems to be a mistake, as it was noted that not all GUI
applications, that need access to drirc.d, also need whole mesa-related
rules (including writing caches).
Move /usr/share/drirc.d/ access to different abstraction. This is not a
breaking change, because any GUI application will have included X
abstraction already, and in the end result - dri-common abstraction too.
Fix typo introduced when resolving a merge conflict for d9ab83281b
("Add support for local additions to abstractions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Local policy may want to extend or override abstractions, so add support for including local updates to them.
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: intrigeri <intrigeri@boum.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only
has a symlink to it in /etc
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
Also drop the now unused function get_profile_filename()
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
PR: https://gitlab.com/apparmor/apparmor/merge_requests/296
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the mysqld to what I use on my servers nowadays.
Note: my profile also has capability sys_resource,, but I'm not sure why I had to add this and therefore didn't include it in this merge request.
Speaking about "why I had added $whatever" - these changes were collected over the last years and of course ;-) I don't remember any details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/310
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
dnsmasq: allow peer=libvirtd to support named profile
See merge request apparmor/apparmor!304
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
The /usr/sbin/libvirtd profile will get a profile name ("libvirtd").
This patch adjusts the dnsmasq profile to support the named profile in
addition to the "old" path-based profile name.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3
*Add anonymous shared memory access rule for QtSettings.conf file
itself.
* Reduce strictness of anonymous shared memory file names - numbers in
them can be smaller or bigger.
* Fix consistency - require anonymous shared memory file names to end
with digit in all rules.
parser/apparmor.systemd: fix minor issues detected by shellcheck
See merge request apparmor/apparmor!293
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
Commit 0d5ab43d59 removed support for loading
modules and introduced a caller, in apparmor_start(), that passes no argument to
is_apparmor_present(), which breaks that function when /bin/sh → /bin/dash.
Passing a module name as argument does not make sense since we dropped support
for the long obsolete "subdomain" module, so let's simplify
is_apparmor_present() and adjust its callers accordingly.
Bug-Debian: https://bugs.debian.org/917874
