- drop out dated maintenance comment
- cleanup profile name rules, and fix a few broken references
- /usr/lib -> /{usr,}/lib
- lib -> lib{,32,64}
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/611
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
yyerror is outputting the file name twice when not in a profile or
the profilename global is not defined. Drop the second output of
the file name as it just clutters up the error message.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/610
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Mike Salvatore <mike.salvatore@canonical.com>
yyno_top_state was set as part of getting rid of the need to link against
libfl.
However we actually need to ability when the scanner is built with
debugging. Fix it so the option and libfl linking are conditionally
used based on whether DEBUG is defined.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/609
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Mike Salvatore <mike.salvatore@canonical.com>
Add flags to be able to control parser warnings, and convert warnings into errors.
Flags can be enabled by using `--warn` followed by a single flag. If multiple flags need to be set --warn can be specified multiple times.
Eg.
```
--warn=deprecated --warn=rule-downgrade
```
Flags can be disabled no prefix the flag name with `no-`
Eg.
```
--warn=no-config
```
The set of currently enabled flags can be seen by specifying
```
--warn=show
```
and the set of supported flags can be seen by specifying
```
--help=warn
```
The default set of warning flags that are enabled are
```
WARN_CONFIG - config warnings
WARN_CACHE - cache warnings that were not hidden behind debug-cache
WARN_JOBS - warnings around job failures
WARN_UNEXPECTED - warnings about internal consistency checks against what is expected from kernel
WARN_OVERRIDE - warnings about overriding some option, currently limited to forcing an override on a namespace.
```
Warnings can be converted into errors by specifying `-Werror`. It supports all the same options as \`\`\`--warn\`. A warning must be turned on before the warning can be converted into an error message.
```
--warn=deprecated --Werror=all
```
Will create error messages for deprecation warnings but not for rule-downgrades. -Werror is disabled by default.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Acked-by: Steve Beattie <steve.beattie@canonical.com>
--config-file is processed early in a separate argument processing
pass. Adjust --warn and --Werror processing so they are done in
both the early and late arg processing pass.
--warn and --Werror must be run in both argument processing passes
so that
1. They can be used with --config-file as long as they are specified
before --config-file (early pass)
2. They are not overriden by any flags set in the config file, as
command line options take priority over what is in the config
file (hence the need for reprocessing in the second pass)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so --Werror=show can display which flags have been set.
In addition update its --help=Werror flag table to display
./apparmor_parser --Werror=[Option]
instead of --Warn
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to show which warnings are enabled by specifying "show"
as an to the --dump, --warn, and --Optimize options
Eg.
--warn=show
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some warning flags are enabled by default, allow a warning to
be disbaled by specifying no- infront of the warning.
Eg.
--warn=no-deprecated
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add basic ability to treat a warning as an error and abort the compile
by specifying the new option --Werror.
--Werror
will turn all warnings into errors. Where if an warning type is
specified only that type of warning will be turned into an error.
--Werror=deprecated.
The full list of supported warning types can be found by using
apparmor_parser --help=warn
or
apparmor_parser --help=Werror
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make all warnings that go through pwarn() controllable by warning
flags. This adds several new warning control flags, documented in
--help=warn
Convert --debug-cache to be unified with warning flags. So it can be
set by either
--debug-cache
or
--warn=debug-cache
Also add an "all" option to be able to turn on all warnings.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the flag
--warn=dev
to be able to toggle several developer warnings with a single flag.
Note: --warn=all is being reserved for a larger patch to warnings
when all warnings are setup with control flags.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Host files accessed by tcp_wrapper can reference other files, from man
5 hosts.allow
```
A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
```
This means adding a file to hosts requires updating multiple profiles
Add a hosts abstraction so users only have to modify a single location.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Ubuntu is dropping their chromium-browser profile because
chromium-browser has been made a snap on ubuntu. Suck in the profile
upstream as a reference profile for those who want to confine
chromium outside of a snap, and update its includes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/606
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
* fix profile name in signal and change_profile rule
* php-fpm profile: adjust /run paths
Thanks to Darix for pointing out that openSUSE now uses /run/php-fpm/
Also switch to using @{run}.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/601
Acked-by: John Johansen <john.johansen@canonical.com>
Fix /usr/lib/postfix binary paths in postfix+dovecot profiles
See merge request apparmor/apparmor!602
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
nvidia_modprobe: allow reading driver parameters
See merge request apparmor/apparmor!603
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
Provide example rules in parser.conf to pin pre 3.0 policy and
appropriate abi files.
abis for vanilla upstream kernels and outoftree network patched
kernels are provided. With both ABIs dropping v8 support from
advertised by the kernel as 2.x policy/userspace did not support it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/598
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
prologue.inc:settest() in same cases invokes a sed command that uses
'~' as a pattern separator, on things that can contain filesystem
paths. However, in the debian/ubuntu world, '~' can be used in version
strings, particularly for pre-release versions, and when this happens
and the version is embedded in the path, the sed command breaks
because of the extraneous separator. Fix this by using '#' as a
separator, which has the benefit of being considered a comment if
accidentally interpreted by a shell.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/599
The autogenerated capabilities comparison needs to be updated if the
capability_table structure changes. Add a note by the structure to
make sure the Makefile will get updated if the structure is changed.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/597
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge branch 'parser-fix_cap_list_check' into 'master'
The sed command to manipulate the known cap list (`base_cap_names.h`) into
a format to match the generated_cap_names.h was buggy because the
trailing `}` would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not raplcing the base capabilities
correctly.
Fix this by removing the trailing `}` match and instead match the third
comma-delimited field that matches a capability name, and replace that.
See merge request apparmor/apparmor!596
The sed command to manipulate the known cap list (base_cap_names.h) into
a format to match the generated_cap_names.h was buggy because the
trailing '}' would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not replacing the base capabilities
correctly.
Fix this by removing the trailing '}" match and instead match the third
comma-delimited field that matches a capability name, and replace that.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
DBus services link against libgcrypt, and thus when libgcrypt has had
patches applied to make it FIP 140-2 compliant, the dbus based tests
confined by apparmor need access to the associated library integrity validation
file. Fix this by causing mkprofile to grant read access in all
generated profiles by default.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1891664
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/595
fix bug that some rules will be added to the profile repeatedly
The ask_exec() function may cause some rules to be added to the profile repeatedly.
See merge request apparmor/apparmor!593
Acked-by: Christian Boltz <apparmor@cboltz.de>
The warn_once() function is duplicated in 6 different places. A common, reusable version has been added to parser_common.c.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/590
Acked-by: John Johansen <john.johansen@canonical.com>
In AppArmor 2 distros could pin the feature file being used by setting
the feature-file option in the config file.
With AppArmor 3 policy is now explicitly tagged with an abi rule.
The problem is the interaction on systems that have a mixture of
AppArmor 2 and AppArmor 3 policy and use feature pinning.
The feature pinning is required to make the apparmor 2 policy behave
as expected but it also overrides the abi rules that are explicitly
set as part of the policy. This means we either have the apparmor 2
pinned policy working as desired or the apparmor 3 policy, but not
both.
To fix this make setting the flag in the config file have lower
priority than the feature abi rule. But still allow the config option
specified on the command line to override the config file and the
feature abi rule.
The Priority ordering to determine the policy abi to use is
1. Use abi rules if present
2. if no abi rule use command line option
3. if no abi rule or command line option use config setting
4. if none of the above use the default abi
v2:
add priority ordering to documentation
reorder priority so existing config/command line options behave as expected, make ABI rules highest priority
add new option --override-policy-ABI to allow overriding of abi rules
move arg processing from numbers to defines
v3
update patch description around how the abi pinning problem is being fixed
add MR: tags to patches
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
I screwed up adding the last option, yet again because
EARLY_ARG_CONFIG_FILE was define out of order, and adding the new
option seems to skip a number, ...
Switch to defines to make it easier to update, and keep all these
define numbers together in order.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add an option to allow setting/pinning the feature ABI and overriding
of ABI rules if they exist.
--override-policy-abi
This option is primarily for profile development and testing without
allowing adjusting feature abis temporarily without modifying the
profile.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
Signed-off-by: John Johansen <john.johansen@canonical.com>
In AppArmor 2 distros could pin the feature file being used by setting
the feature-file option in the config file.
With AppArmor 3 policy is now explicitly tagged with an abi rule.
The problem is the interaction on systems that have a mixture of
AppArmor 2 and AppArmor 3 policy and use feature pinning.
The feature pinning is required to make the apparmor 2 policy behave
as expected but it also overrides the abi rules that are explicitly
set as part of the policy. This means we either have the apparmor 2
pinned policy working as desired or the apparmor 3 policy, but not
both.
To fix this make setting the flag on command line or in config file
lower priority than an abi rule specified in policy. The ability
to override abi rules will be added in a separate patch.
The Priority ordering to determine the policy abi to use is
1. Use abi rules if present
2. if no abi rule use command line option
3. if no abi rule or command line option use config setting
4. if none of the above use the default abi
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adapted from https://nordisch.org/posts/php-fpm-apparmor/, port the
nextcloud-independent portion of the php-fpm worker abstractions and
php-fpm isolation for more general usage.
Signed-off-by: Antonio Russo <antonio.e.russo@gmail.com>
utils `make check_severity_db` will fail the build if a (probably new)
capability in not listed in severity.db. This also means it should print
out an ERROR, not a warning.
This is a follow-up of lp#1890547 and
https://gitlab.com/apparmor/apparmor/-/merge_requests/589
