Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.
sys_ptrace is "only" needed for tracing processes that run under a
different uid.
Also add ptrace (read), for systems that support ptrace rules.
For now we only allow quoted absolute paths without spaces in the name
due to:
- 1738877: include rules don't handle files with spaces in the name
- 1738879: include rules don't handle absolute paths without quotes in
some versions of parser
- 1738880: include rules don't handle relative paths in some versions of
the parser
.gitignore additions for libapparmor tests, binutils, and the vim syntax highlighting files
See merge request apparmor/apparmor!43
Acked-by: Christian Boltz <apparmor@cboltz.de>
- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
(seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
IRC some months ago)
- extend available_buttons() to display an "owner permissions on/off"
button if the rule supports it
- extend ask_the_questions() to handle these buttons
- add some tests to test-translations.py to avoid hotkey conflicts with
the newly added buttons
- move the code of set_options_audit_mode() to a new function
set_options_mode() and make set_options_audit_mode() a wrapper for it.
- add set_options_owner_mode() as another wrapper for set_options_mode()
and add code to switch the owner flag to set_options_mode()
- add tests for set_options_owner_mode()
This flag defines if the "Owner permissions on/off" button gets
displayed in aa-logprof.
False by default for all rule types (most of them don't support the
owner conditional). Also false for non-owner FileRule.
True only for FileRule if owner=True.
Several log examples result in rules where the 'owner' conditional
should be added. With logparser.py fixed to handle owner-only events, we
need to add the owner conditional to several test_multi/*.profile files.
I verified all log files for the changed profiles and made sure that
- the log line contains fsuid= and ouid=
- fsuid == ouid
I also did a quick check on all log events containing ouid= and for
those with fsuid == ouid, I checked that the profile has the owner
conditional.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11
(see mail from 2017-07-31)
logparser.py failed to notice if file events are owner-only in modern
audit.log (using fsuid=... and ouid=...).
This patch adds a comparison of fsuid and ouid and marks file events
as 'owner' if they match.
Note that log events without fsuid=... or ouid=... will have
18446744073709551615 as fsuid / ouid value (that's 2^64 - 1).
'None' would clearly be better ;-)
References: https://bugs.launchpad.net/apparmor/+bug/1538340
handle_children(): automatically add m permissions on ix rules
See merge request apparmor/apparmor!22
Acked-by: John Johansen <john.johansen@canonical.com>
Exit rather than returning from shell snippets in Makefiles. It is
reported that returning causes the following error message with bash:
/bin/sh: line 4: return: can only `return' from a function or sourced script
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
The utils have tests that rely on the in-tree parser to be built so it
should be documented that the parser should be built first.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
