Since 04eb2fe3, __parse_profiles_dir can only return 0 or 1, so $STATUS can only
be 0 or 1, so trying to reset this variable to 0 when its value is 2 can only
cause confusion.
Split out RE_FLAGS
... instead of having it duplicated in RE_PROFILE_HAT_DEF and RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/287
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot: allow reading /proc/sys/fs/suid_dumpable
This is needed if a dovecot child process segfaults - in this case, dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.or /bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
I propose this fix for 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
Acked-by: John Johansen <john.johansen@canonical.com>
Ignore *.orig and *.rej files when loading profiles
This was "accidently" reported by Ralph on the opensuse-support
mailinglist.
I propose this for 2.10..master (I verified that 2.10 tools and libapparmor have *.orig and *.rej in the ignore list)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/282
Acked-by: John Johansen <john.johansen@canonical.com>
dnsmasq profile updates by Petr Vorel
This merge request includes two dnsmasq profiles Petr Vorel sent to the mailinglist:
dnsmasq: Add pid file used by NetworkManager
dnsmasq: Adjust pattern for log files to comply SELinux
I propose these patches for 2.11..master.
I'm not against also backporting to 2.10, but the profile in 2.10 doesn't allow to write anything in /var/log/, so either we apply/backport the changes manually, or we rely on the fact that we didn't get any bugreports for it ;-) Oh, and since I'm only forwarding these patches, I'll already add
Acked-by: Christian Boltz apparmor@cboltz.de for 2.11..master
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
... instead of having it duplicated in RE_PROFILE_HAT_DEF and
RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
In fed101920b, the coverity build process
was modified to split out the build logs into separate files, instead of
having one log file that gets overwritten repeatedly, making failures
hard to debug.
However, the coverity service gets upset if there is no file named with
the expected build log name. Therefore, instead, we'll capture the
python bits first, and then capture all the compilation bits in one
cov-build command.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/273
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
`/etc/letsencrypt/live/` contains symlinks to
`/etc/letsencrypt/archive/` which contains the keys. Add the
certs to ssl_certs and the private keys to ssl_keys.
Grant the ability to communicate with the postfix named child profiles
via signals and unix sockets. Include the path-based match names as
a fallback on upgrades.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Convert all the postfix subprocesses to using named profiles instead of
path match profiles, and adjust exec paths for newer debian/ubuntu
releses. Rename profiles to match profile names.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Convert postfix's master profile to use a named profile
(postfix-master) rather than the exec path match pattern. Adjust
postfix-common abstraction to take this into account. Rename profile
name in the profiles/apparmor/profiles/extras/ directory to match
the profile name.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f1839 the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
parse_profile_data(): Ensure last line in a profile is valid
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
Acked-by: John Johansen <john.johansen@canonical.com>
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
Replace "existing_profiles" & fix minitools for named profiles
See merge request apparmor/apparmor!249
Acked-by: John Johansen <john.johansen@canonical.com>
Expr tree simplification makes multiple passes at simplifying the
expression tree trying to use fatoring rules and heuristics to achieve
the minimum tree, so that dfa construction has fewer nodes to deal
with.
Unfortunately expr tree simplification can slow some policy compiles,
dependent on the type of expressions generated, down, and even worse
is currently subject to never terminating on some expressions as the
left and right passes keep undoing each others work.
Limiting the number of passes that expr tree simplification does can
provide most of its benefits (later passes generally have diminishing
returns), reduces the overhead it has on simple policy where it is of
little benefit, and insures that simplifications can not get stuck in
an infinite loop due to the left and right passes ping-ponging on each
others factoring.
Note: This also results in a performance improvement in evince
compiles, and general policy compiles because it achieves a better
balance between time spent on simplifying the tree to remove nodes and
time the dfa build requires to build with extra nodes and then
eliminate with minimization.
$ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
real 0m2.744s
user 0m2.714s
sys 0m0.028s
vs.
$ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
real 0m2.992s
user 0m2.979s
sys 0m0.012s
and
$ time apparmor_parser -QT /etc/apparmor.d/
real 0m3.568s
user 0m14.529s
sys 0m0.152s
vs.
$ time apparmor_parser -QT /etc/apparmor.d/
real 0m3.741s
user 0m15.400s
sys 0m0.179s
PR: https://gitlab.com/apparmor/apparmor/merge_requests/246
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Remove traces of aa-eventd
aa-eventd and its initscripts have been moved to deprecated/ in 2014 and didn't get any serious updates for several more years, so it's most probably useless and/or broken nowadays.
This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE variables in rc.apparmor.functions anymore.
(In theory I could move these variables to deprecated/rc.aaeventd.* - but in practise that sounds more than superfluous ;-)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/263
Acked-by: John Johansen <john.johansen@canonical.com>
