Right now, if you have a named profile with regular expressions to
match binaries, the profile will be shown in aa-status under the
"process list", which doesn't make sense. Instead, show the actual
executable name, and if the profile name differs, report it at the
end (or as a separate field in the json output mode).
Signed-off-by: Kees Cook <keescook@chromium.org>
Allow to create .nv directory
See merge request apparmor/apparmor!69
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
Update nvidia abstraction to allow creating NVIDIA-specific user directories in
case it is missing (due to fresh $HOME or if manually removed for any reason).
Update base abstraction for ld.so.conf and friends.
See merge request apparmor/apparmor!62
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
Add new dri-common abstraction to contain basic DRI-specific rules.
This refactoring is based on a decision to have set of dri-* abstractions for
fine grained control on case-by-case basis. While dri-common is included in X
abstraction by default, additional DRI-related abstractions can be introduced
(such as for enumerating graphics devices) while keeping them logically together
with same dri- prefix.
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Signed-off-by: John Johansen <john.johansen@canonical.com>
write_include() was the only user of write_single(), and write_single()
had some include-specific code. This patch gets rid of write_single().
write_include() gets a simplified version of the code instead of calling
write_single().
tools: Mark profiles with multiple rules in one line as known-failing
See merge request apparmor/apparmor!61
Acked-by: John Johansen <john.johansen@canonical.com>
The tools don't support having multiple rules in one line (they expect
\n after each rule), therefore mark some of the bare_include_tests as
known failures.
console_select_and_upload_profiles() and set_profiles_local_only() both
use a local variable named 'profs'. Rename it to 'profiles'.
This is the first baby step for rewriting how aa.py stores the profiles
internally. I plan to use 'profs' as variable name instead of 'aa', and
this commit gets the result for "grep -r profs" down to 0.
Some of the regression tests are missing conditionals or have the
wrong conditionals so that they fail on current upstream kernels.
Fix this by adding and changing conditionals and requires where
appropriate. With the patches the tests report passing on 4.14 and
4.15 kernels.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time out
This is a minimal patch to add conditional includes to the profile
language.
The syntax for conditional includes is similar to regular includes
except with the addition of "if exists" after "include"
include if exists <foo/bar>
include if exists "foo/bar"
include if exists "/foo/bar"
include if exists foo/bar
Note: The patch is designed to be backportable with minimum
effort. Cleanups and code refactoring are planned for follow up
patches that won't be back ported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
includes were not handling WS in path names correctly. Allow WS within
quotes. Eg
include "foo bar"
include <"foo bar">
BugLink: http://bugs.launchpad.net/bugs/1738880
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/
See merge request apparmor/apparmor!57
Acked-by: John Johansen <john.johansen@canonical.com>
On current Debian sid it needs to read
/usr/share/dovecot/protocols.d/imapd.protocol, which is not surprising given it
already needed read access to /usr/share/dovecot/protocols.d/.
Install pam_apparmor.so with write permission for its owner.
See merge request apparmor/apparmor!56
Acked-by: John Johansen <john.johansen@canonical.com>
I could not find the reason why the upstream Makefile has been installing it
with permissions 555: this predates the migration from SVN.
Regardless, at least on Debian and derivatives, dh_fixperms has been
changing these permissions to 755 forever so it was causing problems,
likely we would know about it by now.
The initial motivation for this change is supporting rootless builds on Debian
and derivatives, also known as "Rules-Requires-Root: no":
- /usr/share/doc/dpkg-dev/rootless-builds.txt* on a Debian system
with a sufficiently recent dpkg-dev installed
- https://nthykier.wordpress.com/2017/10/29/building-packages-without-fakeroot/
- https://lists.debian.org/debian-devel/2017/10/msg00520.html
With this change applied upstream, Debian-based downstreams don't need to adjust
their debian/rules to make this work with "Rules-Requires-Root: no":
chrpath -d $(CURDIR)/debian/tmp/lib/security/pam_apparmor.so
This is needed by new versions of notify-send, as found on openSUSE
Tumbleweed. Without this, desktop notifications don't work anymore, and
notify-send starts to eat up CPU.
If DBUS_SESSION_BUS_ADDRESS is already set, it won't be changed.
This is a minimal patch so that it can be backported to 2.11 and 2.10
which reverts the abort on error failure when the cache can not be
created and write-cache is set.
This is meant as a temporary fix for
https://bugzilla.suse.com/show_bug.cgi?id=1069906https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
where the cache location is being mounted readonly and the cache
creation failure is causing policy to not be loaded. And the
thrown parser error to cause issues for openQA.
Note: A cache failure warning will be reported after the policy load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz apparmor@cboltz.de
(cherry picked from commit 42b68b65fe1861609ffe31e05be02a007d11ca1c)
This patch supports rolling a tarball for a release, as well as doing
'make tag'. Only stuff that's been committed should get incorporated
into the tarball.
Signed-off-by: John Johansen <john.johansen@canonical.com>
