This adds support for the new v8 network mediation in the 4.17 and later kernels.
It requires that policy either be tagged with an abi rule that support the v8 network, or the policy be pinned with --policy-features= with a feature abit that supports v8 network.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Acked-by: Steve Beattie <steve.beattie@canonical.com>
af_unix allows for sockets to be bound to a name that is autogenerated.
Currently this type of binding is only supported by a very generic
rule.
unix (bind) type=dgram,
but this allows both sockets with specified names and anonymous
sockets. Extend unix rule syntax to support specifying just an
auto bind socket by specifying addr=auto
eg.
unix (bind) addr=auto,
It is important to note that addr=auto only works for the bind
permission as once the socket is bound to an autogenerated address,
the addr with have a valid unique value that can be matched against
with a regular
addr=@name
expression
Fixes: https://bugs.launchpad.net/apparmor/+bug/1867216
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
v8 network permissions extend into the range used by exec mapping
so it is important to not blindly do execmapping on both the
file dfa and policydb dfa any more.
Track what type of dfa and its permissions we are building so
we can properly apply exec mapping only when building the
file dfa.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and allow dovecot to Px to it.
The profile is based on a profile I received in a bugreport, with the actual script factored out. Note that you'll *need* to add a rule to the local/ include to allow executing the actual script, but since the script to execute is configurable, it's basically impossible to add a default rule for it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1166007
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/635
Acked-by: John Johansen <john.johansen@canonical.com>
If an exec gets denied in enforce mode, there are no log events for the target binary/profile. Therefore, trying to set the final_name for the target will crash with a KeyError.
Check for the existence of hashlog\[aamode\]\[target_profile\] in all exec options to prevent this crash.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/634
Acked-by: John Johansen <john.johansen@canonical.com>
Add a basic tool for manipulating the apparmor features abi via
libapparmor. This serves as a basic tool and as an example of using
the library api.
Currently its function is limited to extracting the kernel feature
abi and loading a feature abi from a file and then outputing it.
In the future it will pickup the ability to verify the feature
abi, and merge feature abis.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/613
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
... and allow dovecot to Px to it.
The profile is based on a profile I received in a bugreport, with the
actual script factored out. Note that you'll _need_ to add a rule to the
local/ include to allow executing the actual script, but since the
script to execute is configurable, it's basically impossible to add a
default rule for it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1166007
If an exec gets denied in enforce mode, there are no log events for the
target binary/profile. Therefore, trying to set the final_name for the
target will crash with a KeyError.
Check for the existence of hashlog[aamode][target_profile] in all exec
options to prevent this crash.
Note that the log doesn't include enough information for EXEC MODE and EXEC COND, therefore aa-logprof will always propose ALL as EXEC COND (comm= might give a hint about EXEC COND, but isn't good enough).
With the added support in aa-logprof, remove the changeprofile tests from the known-failing list in test-libapparmor-test_multi.py.
Also add another test log (from darix) / expected profile to the libapparmor testsuite.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/631
Acked-by: John Johansen <john.johansen@canonical.com>
When switching to complain or enforce mode (for example with aa-complain and aa-enforce), remove conflicting flags like kill and unconfined.
As ground work, change add_or_remove_flag() to allow to add or remove multiple flags. Multiple flags can be given as string (will be split) or as array.
Also add some tests confirming that everything works as expected.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/633
Acked-by: John Johansen <john.johansen@canonical.com>
Snapd now loads its own policy via its own systemd unit
https://github.com/snapcore/snapd/pull/8467
If A distro is not using snapd systemd unit then dropping snapd policy
from the apparmor unit is a breaking change, distros will either need
to use the snapd systemd unit or revert
0164fd05 init: stop loading snap policy
Signed-off-by: John Johansen <john.johansen@canonical.com>
snapd now loads its snap policy via its own systemd unit, so stop
loading the snap policy in /var/lib/snapd/apparmor/profiles
Fixs: https://launchpad.net/bugs/1871148
Signed-off-by: John Johansen <john.johansen@canonical.com>
Note that the log doesn't include enough information for EXEC MODE and
EXEC COND, therefore aa-logprof will always propose ALL as EXEC COND
(comm= might give a hint about EXEC COND, but isn't good enough).
With the added support in aa-logprof, remove the changeprofile tests
from the known-failing list in test-libapparmor-test_multi.py.
Also add another test log (from darix) / expected profile to the
libapparmor testsuite.
... when reading /proc/$pid/attr/{apparmor/,}current
Also add a comment about _not_ adding support for the 'unconfined'
profile mode, because that would give a quite confusing output.
This means moving the code that reads the 'current' file into a new
function read_proc_current()Then call that function for both
/proc/$pid/attr/apparmor/current (preferred) and /proc/$pid/attr/current
(fallback).
As of [48755ebf](https://www.openhub.net/p/dnsmasq/commits/1679009518), dnsmasq iterates through directory entries in /proc/self/fd/ to find which file descriptors are open to avoid the potentially costly operation of closing all possible file descriptors.
While the current profile does not make dnsmasq inoperable, this change permits AppArmor users running dnsmasq to avoid falling back on the generic code path.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/628
Acked-by: John Johansen <john.johansen@canonical.com>
New kernels provide an alternative proc attr interface for apparmor
which is needed for LSM stacking.
Update the remaining profiles that use the old interface to
include access to the new interface.
Signed-off-by: John Johansen <john.johansen@canonical.com>
As of [48755ebf], dnsmasq iterates through directory entries in
/proc/self/fd/ to find which file descriptors are open to avoid the
potentially costly operation of closing all possible file descriptors.
[48755ebf]: https://www.openhub.net/p/dnsmasq/commits/1679009518
MR625 fixed hats not emitting the rule to access the proc interface needed for change_hat, but it broke the rule being emitted for the parent (which used to work).
The proc attr access rule should be emitted for any profile that is a hat OR any profile that contains hats.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Acked-by: Steve Beattie <steve.beattie@canonical.com>
39ca2adff6 removed the usr.lib.postfix prefix from the filename, but missed to change the remaining dot to a "-" to fully match the profile names.
Note: This affects only master. 2.13 and older still have the `usr.lib.postfix.*` filenames.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/624
Acked-by: Steve Beattie <steve.beattie@canonical.com>
This add a test to ensure that the parser is inserting rules to allow
access to the proc interface for change_hat.
Unfortunately the rule the parser inserts is a bare owner write that
we can't replicate in policy as policy write perm maps to create,
append and write.
So to test equality compare profiles using rules granting access to
the proc attr interface except one uses the append permission and
the other uses write. They will differ in permissions unless the
parser inserts the proc attr write rule for change_hat in which
case the permissions will get merged and we have equivalence.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
LSM stacking adds new interfaces
/proc/<pid>/attr/apparmor/*
that should be used in preference of the old interface files in
/proc/<pid>/attr/*
The library has already been updated to use the new path but the
abstraction for change_profile has not so accessing the new interface
in a confined application fails.
Fix this by making the abstraction cover the old and new interfaces.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR625 fixed hats not emitting the rule to access the proc interface
needed for change_hat, but it broke the rule being emitted for the
parent (which used to work).
The proc attr access rule should be emitted for any profile that
is a hat OR any profile that contains hats.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
serialize_profile() assumes that active_profiles has the /etc/apparmor.d/ filename of a profile initialized.
This patch makes sure this is true even when using an extra profile by initializing it in get_profile().
Ideally serialize_profile() shouldn't always use active_profiles, but that will be part of a bigger change.
Reported by zt1024 including a proposed patch on https://gitlab.com/apparmor/apparmor/-/merge_requests/604 but of course ;-) this patch is better because it selectively does the initialization only in the case that needs it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/623
Acked-by: John Johansen <john.johansen@canonical.com>
serialize_profile() assumes that active_profiles has the
/etc/apparmor.d/ filename of a profile initialized.
This patch makes sure this is true even when using an extra profile by
initializing it in get_profile().
Ideally serialize_profile() shouldn't always use active_profiles, but
that will be part of a bigger change.
Reported by zt1024 including a proposed patch on
https://gitlab.com/apparmor/apparmor/-/merge_requests/604
but of course ;-) this patch is better because it selectively does the
initialization only in the case that needs it.
Convert the two commented-out fprintf() lines in is_merged_x_consistent() to useful debug logging using PDEBUG macro.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/616
Acked-by: John Johansen <john.johansen@canonical.com>
A copy/paste error leads to a build failure due to an undefined variable "name" in parser_misc.c:clear_cap_flag().
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/608
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
php-fpm: fix profile name in php-worker
This is analogous to 9892a032. It allows php-fpm to manage the worker threads by allowing the threads to receive signals from php-fpm (rather than the nonexistent profile `/usr/sbin/php-fpm*`).
See merge request apparmor/apparmor!619
Acked-by: Christian Boltz <apparmor@cboltz.de>
A debug message in reset_parser() gives developers more data about how
the parser is behaving. In addition, it provides much needed context to
the relatively vague debug message in clear_cap_flag().
Another solution might be to pass the profile name into
clear_cap_flag(), however, clear_cap_flag() does not need the profile
name, except potentially for debugging purposes.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
A copy/paste error leads to a build failure due to an undefined variable
"name" in parser_misc.c:clear_cap_flag().
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
