capabilities). The rule will be marked in the "dangerous capability"
color.
Additionally, the patch removes the (already commented out) code for
"set capability".
Acked-by: Kees Cook <kees@ubuntu.com>
Description: glibc's __get_nprocs() now checks /sys/devices/system/cpu/online
in addition to /proc/stat for the number of processors. This is used in the
_SC_NPROCESSORS_ONLN implementation, a part of sysconf. This was introduced in
upstream glibc commit:
84e2a551a7
Bug-Ubuntu: https://launchpad.net/bugs/929531
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
(At least) openSUSE uses ~/.kde4 to store KDE4 settings.
This patch changes ~/.kde/ to ~/.kde{,4} in all abstractions.
The patch is mostly from Velery Valery, I only fixed a merge conflict
and added the kmail{,2} part in private-files-strict.
References: https://bugzilla.novell.com/show_bug.cgi?id=741592
Acked-By: Steve Beattie <sbeattie@ubuntu.com> for both trunk and 2.7.
which is needed by NetworkManager integration in Ubuntu. (LP: #917628)
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
A bug in Ubuntu reported that the aspell abstraction does
not allow write access to the user customizable dictionaries, the
personal dictionary (~/.aspell.$LANG.pws) and the personal replacement
dictionary (~/.aspell.$LANG.prepl). It also adjusts the abstraction
to add the owner modifier to the personal dictionaries.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/917859
it is needed by pretty much all of the browser abstractions. aa-update-browser
unconditionally adds the plugins-common abstraction, so this should be
sufficient.
properly quote the _known variable (set when the tests are marked as
expected failures) when the expectation was that the testcase would
produce a corefile. This would result in a failed testcase reporting
XFAIL incorrectly.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
suffix of an image= flag, as it's no longer needed. It also eliminates
code that emitted the permissions based on the result of the parse.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen@canonical.com
add 'rix' permissions on executable images (but still auto-generate
ldd dependencies), for use when specifying alternate permissions
on executables.
Where appropriate, it also converts a few testcases to make use of
the option.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
generated profile and have the ldd auto-generation of rules occur on
it. It also kills all testcase usage of $dynlibs, which had stopped
being generated by prologue.inc in a prior patch.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
mkprofile.pl helper and take the convoluted code out of the bash
prologue.inc. It also detects if the binary is a script and performs
ldd analysis on the interpreter.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
their purpose a little more accurately; renames the dump_flags to
emit_flags for the same reason, and also adds a modicum a function
prototype information to the function declarations.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
write access to /proc/*/attr/current to mkprofile.pl from prologue.inc.
Signed-Off-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Profile loads when specifying namespaces currently conflict with caching.
If the profile (ignoring the specified namespace) is in the cache, then
the cached profile will be loaded, replacing the profile in the current
namespace instead of loading the profile to the new namespace.
Fix this by disabling caching when a namespace is specified, forcing the
profile to be compiled.
NOTE: this will not affect profiles loaded from within a namespace using
either the same or a separate directory as the base to load a namespac
from. This only affects loading profiles directly into a child
namespace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Currently the cache location is fixed and links are needed to move it.
Add an option that can be set in the apparmor_parser.conf file so distros
can locate the cache where ever makes sense for them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
The behavior for revalidation/revocation of open files has changed
with the current kernel code, resulting in these tests being reported
as failing even though they are showing expected behavior.
Under the current kernel module this form of revalidation/revocation
can not be tested reliably, so just changing the expected result is
not enough, completely disable the tests for now.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Lenient profile that is intended to be used when 'Ux' is desired but
does not provide enough environment sanitizing. This effectively is an
open profile that blacklists certain known dangerous files and also
does not allow any capabilities. For example, it will not allow 'm' on files
owned be the user invoking the program. While this provides some additional
protection, please use with care as applications running under this profile
are effectively running without any AppArmor protection. Use this profile
only if the process absolutely must be run (effectively) unconfined.
Limitations:
1. This does not work for root owned processes, because of the way we use
owner matching in the sanitized helper. We could do a better job with
this to support root, but it would make the policy harder to understand
and going unconfined as root is not desirable anyway.
2. For this sanitized_helper to work, the program running in the sanitized
environment must open symlinks directly in order for AppArmor to mediate
it. This is confirmed to work with:
- compiled code which can load shared libraries
- python imports
It is known not to work with:
- perl includes
3. Going forward it might be useful to try sanitizing ruby and java
Use at your own risk. This profile was developed as an interim workaround for
LP: #851986 until AppArmor implements proper environment filtering.
Acked-by: Jamie Strandboge <jamie@canonical.com>
Adjust ubuntu abstractions to use sanitized_helper instead of (P)Ux.
Acked-by: Jamie Strandboge <jamie@canonical.com>
Update launchpad-integration to use a sanitized helper in a similar manner
as that in ubuntu-helpers.
Acked-by: Jamie Strandboge <jamie@canonical.com>
creating owner writes on things like ~/.cache and ~/.config
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u"
smbd obviously needs x permissions for smbldap-useradd.
The commit also adds a new profile for usr.sbin.smbldap-useradd (based on
the audit.log from Alexis Pellicier).
Additionally, I moved the "/etc/samba/* rwk" rule next to the other
/etc-related rules in the smbd profile.
References: https://bugzilla.novell.com/show_bug.cgi?id=738041
Lenient profile that is intended to be used when 'Ux' is desired but
does not provide enough environment sanitizing. This effectively is an
open profile that blacklists certain known dangerous files and also
does not allow any capabilities. For example, it will not allow 'm' on files
owned be the user invoking the program. While this provides some additional
protection, please use with care as applications running under this profile
are effectively running without any AppArmor protection. Use this profile
only if the process absolutely must be run (effectively) unconfined.
Limitations:
1. This does not work for root owned processes, because of the way we use
owner matching in the sanitized helper. We could do a better job with
this to support root, but it would make the policy harder to understand
and going unconfined as root is not desirable any way.
2. For this sanitized_helper to work, the program running in the sanitized
environment must open symlinks directly in order for AppArmor to mediate
it. This is confirmed to work with:
- compiled code which can load shared libraries
- python imports
It is known not to work with:
- perl includes
3. Going forward it might be useful to try sanitizing ruby and java
Use at your own risk. This profile was developed as an interim workaround for
LP: #851986 until AppArmor implements proper environment filtering.
From the README in the toplevel source:
"[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a
standard configuration setup for installing PKCS#11 modules in such a way that
they're discoverable."
File locatations are described in [1]. There is a global configuration file in
/etc/pkcs11/pkcs11.conf. Per module configuration happens in
/etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but
IMO this should not be allowed in the abstraction. Example configuration can be
seen in the upstream documentation[2].
This will likely need to be refined as more applications use p11-kit.
[1]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html
[2]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Also add p11-kit to authentication abstraction
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
From the README in the toplevel source:
"[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a
standard configuration setup for installing PKCS#11 modules in such a way that
they're discoverable."
File locatations are described in [1]. There is a global configuration file in
/etc/pkcs11/pkcs11.conf. Per module configuration happens in
/etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but
IMO this should not be allowed in the abstraction. Example configuration can be
seen in the upstream documentation[2].
This will likely need to be refined as more applications use p11-kit.
[1]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html
[2]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html
Acked-by: Jamie Strandboge <jamie@canonical.com>
Currently hfa::match calls hfa::match_len to do matching. However this
requires walking the input string twice. Instead provide a match routine
for input that is supposed to terminate at a given input character.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add the ability to match strings directly from the hfa instead of needing
to build a cfha.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
in python abstraction. This script is used by apport aware python applications
Bug-Ubuntu: https://launchpad.net/bugs/860856
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
