Add kernel patches that will NEVER be sent upstream. These provide abi
compatibility with the v2.x network and af_unix rules.
The 4.17 network mediation pull request deliberately broke abi
compatibility with the v2.x rules, and these are provided so that
distros who shipped the v2.x compatible patches can provide new
kernels on older releases that require v2.x network support.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Note that NO_FLAGS was an inverse option, therefore
- NO_FLAGS was changed to FLAGS (also in sync_profile() which is the
only caller that sets FLAGS)
- the default for include_flags (if FLAGS is not set) is True
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!131
Acked-by: John Johansen <john.johansen@canonical.com>
The tools can't handle nested child profiles yet. Instead of failing
in funny[tm] ways (parse_profile_start() only returned the first two
segments of the profile name) better error out with a clear message.
The initial apparmor.service assumed the profile cache is in
/var/lib/apparmor/ which was an openSUSE-specific path that was chosen
for historical reasons, but was far from perfect.
In the meantime, the profile cache moved to /var/cache/apparmor/ and the
read-only/packaged version was added in /usr/share/apparmor/cache/
This commit adjusts apparmor.service to use these paths.
These tests verify that
- _is_equal_aare() really raises an exception when it sees an invalid
combination of other_value and other_all
- BaseRuleset.__repr__() works as expected
As a side effect, this commit pushes the test coverage of
apparmor/rule/__init__.py to 100% ;-)
... which is unused since the last commit.
Also delete several functions that were only used by this function:
- write_change_profile()
- write_rlimits()
- write_capabilities()
- write_netdomain()
- write_dbus()
- write_signal()
- write_ptrace()
- write_file()
Finally, no longer import some functions from profile_storage:
- write_links
- write_mount
- write_pivot_root
- write_unix
BTW: Deleting these 460 lines improves test coverage of aa.py from
38% to 44%, and total test coverage from 63% to 66% :-)
- rename prof_data parameter to ref
- drop empty allow, prefix and tail, and their usage in the format
string
- inline sep into the format string
- replace usage of fn with the actual function name (var_transform)
This is needed to get a reproducible output.
Also adjust the tests in test-profile-storage.py and add some example
variable to cleanprof.in and cleanprof.out
The aa-exec tool was indicating, in an error message, that a profile
didn't exist in cases where aa_change_profile() failed with errno set to
ENOENT or EACCES. However, the EACCES error means that changing to the
target profile is not allowed. This patch fixes the error message in the
cause of EACCES:
$ ./aa-exec -p dne -- true
aa-exec: ERROR: profile 'dne' does not exist
$ ./aa-exec -p /usr/sbin/tcpdump -- ./aa-exec -p unconfined -- true
aa-exec: ERROR: insufficient permissions to change to the profile 'unconfined'
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Add the pid of the process to the error, debug, and verbose output. This
is useful for debugging.
For example,
$ aa-exec -v -- whoami
[30389] exec whoami
tyhicks
$ aa-exec -p dne -- true
[30390] aa-exec: ERROR: profile 'dne' does not exist
$ aa-exec -d -p unconfined -- true
[30409] aa-exec: DEBUG: 0 = aa_change_onexec("unconfined")
It can also help when multiple aa-exec invocations are used across a
fork and exec. Here's a contrived example:
$ aa-exec -v -- \
sh -c 'aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true'
[3424] exec sh -c aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true
[3425] aa_change_onexec("/usr/sbin/tcpdump")
[3425] exec aa-exec -p unconfined -- true
[3425] aa-exec: ERROR: profile 'unconfined' does not exist
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
This commit adds an initial gitlab-ci.yml file to perform test builds
and run tests on each commit.
v2: add liblocale-gettext-perl dependency for parser simple test
v3:
- set noninteractive prompt to avoid debconf queries when installing
packages
- disable profiles test against aa-logprof; even if library and python
path issues are resolved, aa-logprof early aborts due to being
unable to find /sbin/apparmor_parser
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Tyler Hicks <tyler.hicks@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/101
If a log line contains a denial for a child profile, log_dict will
(obviously) only contain the child profile. However, serialize_profile()
expects that the parent profile is also initialized as ProfileStorage.
This patch makes sure the parent profile gets initialized.
It also removes 26 of the 37 reasons in the TODO note in aa.py :-)
