This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1005
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit c37be61d17)
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
This is a partial fix for CVE-2016-1585, it address the frontend rule encoding problems particularly
- Permissions being given that shouldn't happen
- Multiple option conditionals in a single rule resulting in wider permission instead of multiple rules
- optional flags not being handled correctly
- multiple backend rules being created out of one frontend rule when they shouldn't be
it does not address the backend issue of short cut permissions not being correctly updated when deny rules carve out permissions on an allow rule that has a short cut permission in the encoding.
Thanks to the additional work by Alexander Mikhalitsyn for beating this MR into shape so we can land it
Alexander Changelog:
- rebased to an actual tree
- addressed review comments from @wbumiller and @setharnold
- fixed compiler warnings about class_mount_hdr is uninitialized
- infinite loop fix
- MS_MAKE_CMDS bitmask value fixed
- fixed condition in `gen_flag_rules` to cover cases like `mount options in (bind) /d -> /4,` when flags are empty and only opt_flags are present
- marked some tests as a FAIL case behavior was changed after `parser: add conflicting flags check for options= conditionals` commit
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/333
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit c1a1a3a923)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This was due to the values being defined in both af_unix and af_rule leaving the latter values unset.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/979
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit da7d3a2101)
Signed-off-by: John Johansen <john.johansen@canonical.com>
States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.
This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.
Fixes: 16b67ddbd ("add ability to use out of band transitions"
Closes: https://gitlab.com/apparmor/apparmor/-/issues/290
Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#290
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/956
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a7bce9be98)
Signed-off-by: John Johansen <john.johansen@canonical.com>
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 05d7bdd655)
1df547ee parser: fix DISTRO variable in Makefile
by adding a warning flag that is disabled by default. This will enable
devs to find when and where #include is in use by adding the compile
flag
--warn=pound-include
and can even abort policy compiles by using
--warn=pound-include --Werror=pound-include
The resulting messages look like
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 5): deprecated use of '#include'
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
The previous fix for LTO builds in b6d3daa7 did not take into
consideration that LTO support could be added through CFLAGS,in which
case the fix would not be applied.
This patch applied the fix -flto-partition=none even if CFLAGS is
already defined.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#214
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/901
Acked-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
I've seen this test fail because "apparmor_parser -N" returned the expected
lines, but in a different order than what's expected (dirtest.out).
To fix this, sort both the expected and actual output.
Per the discussion in #243, this MR removes Python 2 compatibility. Namely, this merge request:
- removes code behind `sys` and `platform` interpreter version checks
- removes `unicode` vs. `str` handling
- removes unnecessary `__future__` imports
- removes unnecessary `object` inheritance
- removes unnecessary `super()` arguments
- uncomments commented-out code with "uncomment when python3 only" notes or some variant of that message
Regarding the `unicode` vs. `str` handling, it's arguably more Pythonic to check `isinstance(x, str)` as opposed to `type(x) is str`, but I didn't want to alter code behavior.
A change needs to be made to the `INCOMPLETE_COVERAGE` setting in `utils/test/Makefile` to get the pipeline to pass. I didn't get anywhere tweaking the setting myself, so someone else with more AppArmor experience will have to make that change.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/894
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This is a follow-up on !812, which added a call to systemd-detect-virt.
Everywhere else we don't assume that program is present,
and first check if it's there before we run it.
Let's do the same here.
This partially addresses issue #239. There are still some remaining instances where opened files are not properly closed, e.g. the `NamedTemporaryFile` in `utils/apparmor/config.py`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/885
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The inverse character set lists the characters it doesn't match. If
the inverse character set contains an oob then that is NOT considered
a match. So length should be one.
However because of oobs are handle not containing an oob doesn't mean
there is a match either. Currently the only way to match an oob is
via a positive express (no inverse matches are possible).
Signed-off-by: John Johansen <john.johansen@canonical.com>
Without the change apparmor build fails on this week's gcc-13 snapshot as:
capability.h:66:6: error: variable or field '__debug_capabilities' declared void
66 | void __debug_capabilities(uint64_t capset, const char *name);
| ^~~~~~~~~~~~~~~~~~~~
capability.h:66:27: error: 'uint64_t' was not declared in this scope
66 | void __debug_capabilities(uint64_t capset, const char *name);
| ^~~~~~~~
capability.h:23:1: note: 'uint64_t' is defined in header '<cstdint>'; did you forget to '#include <cstdint>'?
22 | #include <linux/capability.h>
+++ |+#include <cstdint>
23 |
... if a test is expected to fail, but succeeds.
Also fix the copyright year - the test was created in 2022, not in 2013.
This fixes my comments on
bd78b6b292
libapparmor: fix handling of failed symlink traversal, fixed a couple
of directory walk issues that could cause failures. The test included
in this commit was supposed to be included in the previous commit,
but was accidentally dropped. Even worse the make file changes did
make it causing the previous commit to break the CI.
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/85
Signed-off-by: John Johansen <john.johansen@canonical.com>
Ideally we would have a flag or something so the caller could choose
to handle symlinks, or traverse them. But since all callers currently
don't handle symlinks just handle them in the iterator.
Beyond fixing the early termination due to a failed symlink this also
fixes another case of failure in one job cause dir based loads to
terminate early. Which can result in partial loads.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/215
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/850
Signed-off-by: John Johansen <john.johansen@canonical.com>
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Libapparmor was fixed for lto builds on commit 7cde91f5 but
the parser was also failing due to the same reasons when lto
was enabled.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/214
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
As shellcheck taught me
today (https://github.com/koalaman/shellcheck/wiki/SC2015),
"A && B || C is not if-then-else. C may run when A is true".
It does not matter here in practice, because worst case we would run "true" once
too many, but still.
In this case it does not matter, we're merely testing if we can actually
read from that file, but let's make this robust (and shellcheck happy)
for future's sake.
Reference: https://www.shellcheck.net/wiki/SC2162
In 73e124d4fb I've upstreamed the `is_container_with_internal_policy()` function, but so far it was not used anywhere upstream. This is the missing bit.
I could trace the history of that patch back to 2012 (2.7.102-0ubuntu3):
* debian/apparmor.init: do nothing in a container. This can be
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
Context: I lack both knowledge and motivation to keep maintaining this as part of the Debian delta. I'd rather see upstream, and in particular folks more knowledgeable than me about LXC/LXD, or with external motivation factors to work on this part of the stack, take care of it.
Note: Debian has similar code in its [sysvinit script](https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/master/debian/apparmor.init). I'm not touching that one.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/840
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This script is used at least by LXC upstream and MySQL in Debian:
https://codesearch.debian.net/search?q=%2Flib%2Fapparmor%2Fprofile-load
Presumably it could be useful elsewhere if it was more readily available.
Similarly to !840, this is another user of the `is_container_with_internal_policy()` function. I'd like all the callers of this function to live in harmony under the same roof, upstream.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/841
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Even if there are Red Hat / Fedora systems that use AppArmor, chances are that
they use systemd, and not an initscript. And even if somehow they do use an
initscript, chances are that it's not this one, as last time it has seen
a non-cosmetic change was in 2007.
* Don't call aa_log_action_end after calling aa_log_failure_msg, because
a generic "failure" message will be outputted twice by the Red Hat and
Slackware init scripts.
* Don't append a space to the initial output from apparmor_stop, in line
with other usages of aa_log_daemon_msg.
Debian doesn't use the init script provided in parser/rc.apparmor.debian,
instead preferring to patch parser/rc.apparmor.functions and call its
functions directly in an init script they maintain themselves (something
they have done since 2006). Since this script is no longer used, and
currently doesn't work correctly anyway because it lacks definitions for
several functions that are relied upon in parser/rc.apparmor.functions,
it can be removed.
