The initial apparmor.service assumed the profile cache is in
/var/lib/apparmor/ which was an openSUSE-specific path that was chosen
for historical reasons, but was far from perfect.
In the meantime, the profile cache moved to /var/cache/apparmor/ and the
read-only/packaged version was added in /usr/share/apparmor/cache/
This commit adjusts apparmor.service to use these paths.
These tests verify that
- _is_equal_aare() really raises an exception when it sees an invalid
combination of other_value and other_all
- BaseRuleset.__repr__() works as expected
As a side effect, this commit pushes the test coverage of
apparmor/rule/__init__.py to 100% ;-)
- rename prof_data parameter to ref
- drop empty allow, prefix and tail, and their usage in the format
string
- inline sep into the format string
- replace usage of fn with the actual function name (var_transform)
This is needed to get a reproducible output.
Also adjust the tests in test-profile-storage.py and add some example
variable to cleanprof.in and cleanprof.out
The aa-exec tool was indicating, in an error message, that a profile
didn't exist in cases where aa_change_profile() failed with errno set to
ENOENT or EACCES. However, the EACCES error means that changing to the
target profile is not allowed. This patch fixes the error message in the
cause of EACCES:
$ ./aa-exec -p dne -- true
aa-exec: ERROR: profile 'dne' does not exist
$ ./aa-exec -p /usr/sbin/tcpdump -- ./aa-exec -p unconfined -- true
aa-exec: ERROR: insufficient permissions to change to the profile 'unconfined'
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Add the pid of the process to the error, debug, and verbose output. This
is useful for debugging.
For example,
$ aa-exec -v -- whoami
[30389] exec whoami
tyhicks
$ aa-exec -p dne -- true
[30390] aa-exec: ERROR: profile 'dne' does not exist
$ aa-exec -d -p unconfined -- true
[30409] aa-exec: DEBUG: 0 = aa_change_onexec("unconfined")
It can also help when multiple aa-exec invocations are used across a
fork and exec. Here's a contrived example:
$ aa-exec -v -- \
sh -c 'aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true'
[3424] exec sh -c aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true
[3425] aa_change_onexec("/usr/sbin/tcpdump")
[3425] exec aa-exec -p unconfined -- true
[3425] aa-exec: ERROR: profile 'unconfined' does not exist
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
This commit adds an initial gitlab-ci.yml file to perform test builds
and run tests on each commit.
v2: add liblocale-gettext-perl dependency for parser simple test
v3:
- set noninteractive prompt to avoid debconf queries when installing
packages
- disable profiles test against aa-logprof; even if library and python
path issues are resolved, aa-logprof early aborts due to being
unable to find /sbin/apparmor_parser
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Tyler Hicks <tyler.hicks@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/101
If a log line contains a denial for a child profile, log_dict will
(obviously) only contain the child profile. However, serialize_profile()
expects that the parent profile is also initialized as ProfileStorage.
This patch makes sure the parent profile gets initialized.
It also removes 26 of the 37 reasons in the TODO note in aa.py :-)
ProfileStorage.get_rules_clean() returns all rules in a profile
(withouth the profile header or the closing '}')
Also change aa.py write_rules() to use get_rules_clean()
ProfileStorage() stores the content of a profile, so it makes sense to
also have the functions to write those rules (including helper functions
used by these functions) in the same file.
Note that I only moved the functions for rule types that are not handled
by *Ruleset classes.
The functions for writing rules stored in a *Ruleset class will
hopefully be superfluous sooner or later (probably later because
serialize_parse_profile_start() depends on them, and rewriting it won't
be easy)
Also move the test for var_transform() to test-profile-storage.py.
The POSIX standard never defines the typedefs `comparison_fn_t` and
`__free_fn_t`, but they are provided by glibc and user in the parsing
code. Provide the typedefs ourselves to fix compiling on musl based
systems.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The `secure_getenv` function is a non-POSIX compliant extension of
glibc. In contrast to the POSIX `getenv`, `secure_getenv` will return
`NULL` for all environment variables when the program is run with
escalated privileges due to an SUID or SGID bit. Some strictly
POSIX-compliant libc libraries, most notably musl libc, do not have this
function and do not wish to implement it. Thus, AppArmor cannot be
compiled on such systems.
In libapparmor, `secure_getenv` is only used to determine whether the
environment variable DEBUG_ENV_VAR has been set to enable debugging. In
case an unprivileged user runs a SUID/SGID executable linked against
libapparmor, we do not want that user to be able to get additional
information via debug output.
The fix here is to produce an error only in case where debug output is
enabled by defining ENABLE_DEBUG_OUTPUT. Otherwise, we simply define
`secure_getenv` to `NULL` to completely disable the debug output.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
While the parser makes use of the `aa_policy_cache_add_ro_dir` function,
it is not being declared as a global function in the libapparmor.map
file. Due to this, dynamic linking of apparmor_parser with
libapparmor.so is not possible.
[Fixed up to use 2.13.1 symbol section as when the
`aa_policy_cache_add_ro_dir` was introduced -- @smb]
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location
Based on a patch by "Samuel Cabrero" <scabrero@suse.com>
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
Merge remote-tracking branch 'cboltz/cboltz-rewrite-write_alias' from
Christian Boltz
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/120/
Merge remote-tracking branch 'cboltz/cboltz-fix-write-alias' from
Christian Boltz.
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/119
Instead of calling write_pair() (which is quite complex because it needs
to handle multiple rule types), write the alias rules directly in
write_alias().
This comes with minor code duplication, but makes the code much more
readable (3 instead of 7 %s)
write_pair() ignored the 'tail' parameter, which resulted in writing
invalid alias rules (without the trailing comma).
Also add an alias to test/cleanprof.* to ensure it doesn't break again.
test-libapparmor-test_multi.py converts the libapparmor test_multi log
examples to profiles.
This patch allows to call test-libapparmor-test-multi.py with a logfile
(containing a single log line) as parameter. It will then print the
resulting profile.
Example:
# python3 test-libapparmor-test_multi.py /path/to/libraries/libapparmor/testsuite/test_multi/testcase_dbus_01.in
/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
}
Writing a "link subset" rule missed a space, which resulted in something
like
link subset/foo -> /bar,
Also add a test rule to tests/cleanprof.* to ensure this doesn't break
again.
