disable abi/ok_10 and abi/ok_12 tests
See merge request apparmor/apparmor!259
(cherry picked from commit 608af94dff)
a3305b51 disable abi/ok_10 and abi/ok_12 tests
Remove TODO notes from no-longer-failing tests
See merge request apparmor/apparmor!180
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: intrigeri <intrigeri@debian.org>
(cherry picked from commit c98d8570ee)
d15bdaba Remove TODO notes from no-longer-failing tests
This is a backport of !239
commit 2209e09aef
Author: nl6720 <nl6720@gmail.com>
aa-notify man page: update user's configuration file path
Signed-off-by: nl6720 <nl6720@gmail.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/243
(backported from commit 2209e09aef)
Signed-off-by: John Johansen <john.johansen@canonical.com>
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This changed the profile names and needs adjustments to "signal
peer=..." rules, which is something we should avoid in an old branch.
The reverted commit is
commit 0ce15469ec
Author: Cameron Nemo <camerontnorman@gmail.com>
Date: Wed Jul 25 14:07:35 2018 -0700
profiles: support distributions which merge sbin into bin
Closes#8
(cherry picked from commit 9ab45d811e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This reverts the following commit which changes the profile names -
something we should avoid on an old branch.
commit ae3e230b053e0521f54ea1590326dae895b7642c
Author: Cameron Nemo <camerontnorman@gmail.com>
Date: Tue Sep 11 09:54:33 2018 -0700
profiles: support void-specific binary names for openntpd, traceroute, and ping
(cherry picked from commit 6e28a94ace)
Signed-off-by: John Johansen <john.johansen@canonical.com>
profiles/Makefile: test abstractions against apparmor_parser
See merge request apparmor/apparmor!244
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10, 2.11 and 2.12.
(cherry picked from commit 500b857d24)
93ccf15c profiles/Makefile: test abstractions against apparmor_parser
Currently if stdin is used the warning
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
is always displayed but if caching has been disabled there is no need for
this message.
(backported from commit c421a29c61)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/233
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 93445ca02d)
bc492533 Fix aa-mergeprof crash caused by accidentially initialzed hat
The old patter *.* doesn't match lsb_release and nvidia_modprobe, and
the only file we ship in local is a README. This patch adjusts the
pattern to ignore everything except README.
(cherry picked from commit aeee9a1aab)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/227
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 94dfe15b28 attempted to remove
LD_RUN_PATH unfortunately
But all it actually does is cause the Makefile.perl to embed the rpath
"" instead. Which is still an rpath, only I guess an even worse one.
--
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User
This is because it cleared the setting of the variable LD_RUN_PATH
which was expanded in the command
$(INST_DYNAMIC) : $(OBJECT) $(MYEXTLIB) $(INST_ARCHAUTODIR)$(DFSEP).exists $(EXPORT_LIST) $(PERL_ARCHIVEDEP) $(PERL_ARCHIVE_AFTER) $(INST_DYNAMIC_DEP)
$(RM_F) $@
LD_RUN_PATH="$(LD_RUN_PATH)" $(LD) $(LDDLFLAGS) $(LDFROM) $(OTHERLDFLAGS) -o $@ $(MYEXTLIB) \
$(PERL_ARCHIVE) $(LDLOADLIBS) $(PERL_ARCHIVE_AFTER) $(EXPORT_LIST) \
$(INST_DYNAMIC_FIX)
$(CHMOD) $(PERM_RWX) $@
resulting in LD_RUN_PATH="" being passed to the command.
Finish removing LD_RUN_PATH from Makefile.perl by removing it from
the command invocation if it is present.
Note: we use \x24 instead of $ in the regex as there seems to be a bug
and no level of escaping $ would allow it to be used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/207
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 958cc28876)
Make @{sys} available by default
See merge request apparmor/apparmor!228
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 772a8702e0)
aa065287 Make @{sys} available by default
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
(cherry picked from commit 025c7dc6a1)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
parser: fix Makefile hardcoded paths to flex and bison
Closes#4
See merge request apparmor/apparmor!224
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 34cf085036)
17e059a2 parser: fix Makefile hardcoded paths to flex and bison
2.11: Add basic support for abi rules to the tools
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does not run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e04 / !202 (merged) to
2.11 (with some adjustments because that commit didn't appy cleanly)
I propose this patch for 2.10 and 2.11.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/223
Acked-by: John Johansen <john.johansen@canonical.com>
2.11/2.10: is_skippable_dir(): add 'cache.d' to exclude list
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8)
While this isn't strictly needed for 2.10 or 2.11 userspace, it makes testing these branches easier ;-)
I propose this cherry-pick for 2.11 (= this merge request) and 2.10.
https://gitlab.com/apparmor/apparmor/merge_requests/222
Acked-by: John Johansen <john.johansen@canonical.com>
make 2.11 utils tests green
- switch minitools_test.py to a profile without alternation
- remove non-failing tests from unknown_line exception
- exclude several #include "does not exist" examples
PR: https://gitlab.com/apparmor/apparmor/merge_requests/220
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 1fb9acc59e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit f76a718f28)
80e98f2d Update usr.sbin.nmbd & usr.sbin.smbd
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e0451 / !202 to
2.11 (with some adjustments because that commit didn't appy cleanly)
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8c6)
bare_include_tests/ok_30.sd and ok_31.sd don't fail with the 2.11 tools.
Remove them from the unknown_line exception.
(Interestingly newer branches fail on these tests, but I didn't check why.)
These tests were added with the cherry-picked commit 4184b0c363
They are expected to fail, but don't fail with the 2.11 tools because
the regex only matches #include <...> which means #include "..."
is considered to be a comment.
Remove accidently added text from utils/po/Makefile
See merge request apparmor/apparmor!217
Acked-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit fa82a51523)
15770576 Remove accidently added text from utils/po/Makefile
Qt GUI applications that uses "platforminputcontexts"-class of plugins
might need reading and/or writing compose cache. Add read-only rule in
qt5 abstraction and create new writing dedicated for compose cache
writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 67816c42cf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 69c4cabb93)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add @{uid} and @{uids} variables to allow migrating profiles in advance
while awaiting path mediation implementation, based on current user id,
in kernel side.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/208
(cherry picked from commit cba10db7e7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions part ii
- abstractions/private-files: disallow access to the dirs of private files
- private-files{,-strict}: disallow writes to parent dirs too
- user-files: disallow writes to parents dirs
PR: https://gitlab.com/apparmor/apparmor/merge_requests/206
Signed-off-by: John Johansen <john.johansen@canonical.com>
gio-launch-desktop helper tries to execute /usr/bin/thunderbird wrapper
script, not the /usr/lib/thunderbird... directly.
Add rule allowing to execute /usr/bin/thunderbird.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/204
(cherry picked from commit cee9527fa8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
* Add -bin suffix to reach new Thunderbird executable.
(cherry picked from commit 7546413b43)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions
remove antiquated abstractions/launchpad-integration
abstractions/private-files-strict: disallow access to the dirs of private files
abstractions/private-files: disallow writes to thumbnailer dir (LP: #1788929)
ubuntu-browsers.d/user-files: disallow access to the dirs of private files
Nominating launchpad-integration and opencl-nvidia for 2.13. Nominating private-files-strict, private-files and user-files for 2.10 and higher
PR: https://gitlab.com/apparmor/apparmor/merge_requests/203
Signed-off-by: John Johansen <john.johansen@canonical.com>
add zsh to logprof.conf
See merge request apparmor/apparmor!201
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 7e22b0a894)
00871696 add zsh to logprof.conf
Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
(cherry picked from commit 5bc7a9fbd6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
