LSM stacking adds new interfaces
/proc/<pid>/attr/apparmor/*
that should be used in preference of the old interface files in
/proc/<pid>/attr/*
The library has already been updated to use the new path but the
abstraction for change_profile has not so accessing the new interface
in a confined application fails.
Fix this by making the abstraction cover the old and new interfaces.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR625 fixed hats not emitting the rule to access the proc interface
needed for change_hat, but it broke the rule being emitted for the
parent (which used to work).
The proc attr access rule should be emitted for any profile that
is a hat OR any profile that contains hats.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
serialize_profile() assumes that active_profiles has the /etc/apparmor.d/ filename of a profile initialized.
This patch makes sure this is true even when using an extra profile by initializing it in get_profile().
Ideally serialize_profile() shouldn't always use active_profiles, but that will be part of a bigger change.
Reported by zt1024 including a proposed patch on https://gitlab.com/apparmor/apparmor/-/merge_requests/604 but of course ;-) this patch is better because it selectively does the initialization only in the case that needs it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/623
Acked-by: John Johansen <john.johansen@canonical.com>
serialize_profile() assumes that active_profiles has the
/etc/apparmor.d/ filename of a profile initialized.
This patch makes sure this is true even when using an extra profile by
initializing it in get_profile().
Ideally serialize_profile() shouldn't always use active_profiles, but
that will be part of a bigger change.
Reported by zt1024 including a proposed patch on
https://gitlab.com/apparmor/apparmor/-/merge_requests/604
but of course ;-) this patch is better because it selectively does the
initialization only in the case that needs it.
Convert the two commented-out fprintf() lines in is_merged_x_consistent() to useful debug logging using PDEBUG macro.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/616
Acked-by: John Johansen <john.johansen@canonical.com>
A copy/paste error leads to a build failure due to an undefined variable "name" in parser_misc.c:clear_cap_flag().
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/608
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
php-fpm: fix profile name in php-worker
This is analogous to 9892a032. It allows php-fpm to manage the worker threads by allowing the threads to receive signals from php-fpm (rather than the nonexistent profile `/usr/sbin/php-fpm*`).
See merge request apparmor/apparmor!619
Acked-by: Christian Boltz <apparmor@cboltz.de>
A debug message in reset_parser() gives developers more data about how
the parser is behaving. In addition, it provides much needed context to
the relatively vague debug message in clear_cap_flag().
Another solution might be to pass the profile name into
clear_cap_flag(), however, clear_cap_flag() does not need the profile
name, except potentially for debugging purposes.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
A copy/paste error leads to a build failure due to an undefined variable
"name" in parser_misc.c:clear_cap_flag().
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
- drop out dated maintenance comment
- cleanup profile name rules, and fix a few broken references
- /usr/lib -> /{usr,}/lib
- lib -> lib{,32,64}
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/611
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
yyerror is outputting the file name twice when not in a profile or
the profilename global is not defined. Drop the second output of
the file name as it just clutters up the error message.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/610
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Mike Salvatore <mike.salvatore@canonical.com>
yyno_top_state was set as part of getting rid of the need to link against
libfl.
However we actually need to ability when the scanner is built with
debugging. Fix it so the option and libfl linking are conditionally
used based on whether DEBUG is defined.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/609
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Mike Salvatore <mike.salvatore@canonical.com>
Add flags to be able to control parser warnings, and convert warnings into errors.
Flags can be enabled by using `--warn` followed by a single flag. If multiple flags need to be set --warn can be specified multiple times.
Eg.
```
--warn=deprecated --warn=rule-downgrade
```
Flags can be disabled no prefix the flag name with `no-`
Eg.
```
--warn=no-config
```
The set of currently enabled flags can be seen by specifying
```
--warn=show
```
and the set of supported flags can be seen by specifying
```
--help=warn
```
The default set of warning flags that are enabled are
```
WARN_CONFIG - config warnings
WARN_CACHE - cache warnings that were not hidden behind debug-cache
WARN_JOBS - warnings around job failures
WARN_UNEXPECTED - warnings about internal consistency checks against what is expected from kernel
WARN_OVERRIDE - warnings about overriding some option, currently limited to forcing an override on a namespace.
```
Warnings can be converted into errors by specifying `-Werror`. It supports all the same options as \`\`\`--warn\`. A warning must be turned on before the warning can be converted into an error message.
```
--warn=deprecated --Werror=all
```
Will create error messages for deprecation warnings but not for rule-downgrades. -Werror is disabled by default.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Acked-by: Steve Beattie <steve.beattie@canonical.com>
--config-file is processed early in a separate argument processing
pass. Adjust --warn and --Werror processing so they are done in
both the early and late arg processing pass.
--warn and --Werror must be run in both argument processing passes
so that
1. They can be used with --config-file as long as they are specified
before --config-file (early pass)
2. They are not overriden by any flags set in the config file, as
command line options take priority over what is in the config
file (hence the need for reprocessing in the second pass)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so --Werror=show can display which flags have been set.
In addition update its --help=Werror flag table to display
./apparmor_parser --Werror=[Option]
instead of --Warn
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to show which warnings are enabled by specifying "show"
as an to the --dump, --warn, and --Optimize options
Eg.
--warn=show
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some warning flags are enabled by default, allow a warning to
be disbaled by specifying no- infront of the warning.
Eg.
--warn=no-deprecated
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add basic ability to treat a warning as an error and abort the compile
by specifying the new option --Werror.
--Werror
will turn all warnings into errors. Where if an warning type is
specified only that type of warning will be turned into an error.
--Werror=deprecated.
The full list of supported warning types can be found by using
apparmor_parser --help=warn
or
apparmor_parser --help=Werror
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make all warnings that go through pwarn() controllable by warning
flags. This adds several new warning control flags, documented in
--help=warn
Convert --debug-cache to be unified with warning flags. So it can be
set by either
--debug-cache
or
--warn=debug-cache
Also add an "all" option to be able to turn on all warnings.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the flag
--warn=dev
to be able to toggle several developer warnings with a single flag.
Note: --warn=all is being reserved for a larger patch to warnings
when all warnings are setup with control flags.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Host files accessed by tcp_wrapper can reference other files, from man
5 hosts.allow
```
A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
```
This means adding a file to hosts requires updating multiple profiles
Add a hosts abstraction so users only have to modify a single location.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Ubuntu is dropping their chromium-browser profile because
chromium-browser has been made a snap on ubuntu. Suck in the profile
upstream as a reference profile for those who want to confine
chromium outside of a snap, and update its includes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/606
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
* fix profile name in signal and change_profile rule
* php-fpm profile: adjust /run paths
Thanks to Darix for pointing out that openSUSE now uses /run/php-fpm/
Also switch to using @{run}.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/601
Acked-by: John Johansen <john.johansen@canonical.com>
Fix /usr/lib/postfix binary paths in postfix+dovecot profiles
See merge request apparmor/apparmor!602
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
nvidia_modprobe: allow reading driver parameters
See merge request apparmor/apparmor!603
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
