Commit ad81ea0e67 ("tests: Add option to dump policy cache dir with
the libapparmor wrapper") modified aa_policy_cache.c to call
aa_policy_cache_dir_path_preview(). That added a hard dependency on
libapparmor >= 2.13, which is the first version to add
policy_cache_dir_path_preview() to libapparmor. The dependency makes it
impossible to build and run the upstream regression tests against an
installed libapparmor older than 2.13 due to aa_policy_cache.c failing
to build.
Add a compatible aa_policy_cache_dir_path_preview() when building
aa_policy_cache.c against a libapparmor older than 2.13 and newer than
or equal to 2.10.
Fixes: ad81ea0e67 ("tests: Add option to dump policy cache dir with the libapparmor wrapper")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Correct the long option used to print the cache directory.
Fixes: e9d9395f91 ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Test the profile transition limits imposed by NO_NEW_PRIVS to ensure
that behavior doesn't unexpectedly change.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
commit 7297e2f6a8 assumed that exec events
always have a "target=...", but this is only true for events in complain
mode. In enforce mode, the log line doesn't include "target=...".
This commits sets an empty target instead of erroring out on every exec
event in enforce mode.
Also adjust ask_exec() in aa.py to only update
hashlog[aamode][target_profile]['final_name'] if target_profile is set
(hashlog[aamode][''] doesn't exist and trying to write to it would error
out)
- in complain mode, exec events include target=...
- in enforce mode, the log message doesn't include target=...
Note that the utils tests skip exec events (they'd be interactive),
therefore exec*.profile doesn't contain an exec rule.
When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.
Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: https://gitlab.com/apparmor/apparmor/issues/41
convert_regexp() needs to escape '(' and ')' in filenames taken from a
logfile to get rid of their special meaning, and to avoid a crash on
unbalanced parenthesis (which makes the regex invalid if they are not
escaped).
Note: The added tests include an example log line, but the tests itsself
don't/didn't trigger the crash because they don't call convert_regexp().
Fixes: https://bugs.launchpad.net/bugs/1835311
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add for Certbot on openSUSE Leap
The default path is `/etc/certbot/archive/{some domain}/{file name}.pem`
See merge request apparmor/apparmor!397
Acked-by: Christian Boltz <apparmor@cboltz.de>
The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.
We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: https://gitlab.com/apparmor/apparmor/merge_requests/396
Instead of setting SFS_MOUNTPOINT in is_apparmor_loaded() (which is
called in most cases) and in is_container_with_internal_policy() (which
covers/fixes the remaining cases), set it globally.
This also fixes a bug in is_container_with_internal_policy() (introduced
in f10e72a14f) where the variable
definition tried to use the no longer existing $MODULE variable and
therefore got a wrong path for $SFS_MOUNTPOINT.
Besides this bug, there's a minor behaviour change / improvement if
securityfs isn't mounted - "file not found" error messages will now
contain the full/correct path ;-)
This change/cleanup is a follow-up of
https://gitlab.com/apparmor/apparmor/merge_requests/363 and some IRC
discussions 2019-04-16.
freshclam needs to write more files in /var/lib/clamav/, and also needs
to write its pid file.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/381
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
When dc010bc034 was
backported to the apparmor-2.13 branch (in commit
75236d62e2), it did not take into
account cb8c3377ba, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
update postfix profiles
On openSUSE Leap 15.1, the postfix binaries live in /usr/lib/postfix/bin/ which was not covered in the postfix.\* attachment and mrix rules.
Also add several permissions to the postfix.\* profiles needed on openSUSE Leap 15.1.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/380
Signed-off-by: John Johansen <john.johansen@canonical.com>
is_container_with_internal_policy() is called independently of
apparmor_*() in the systemd unit and potentially other consumers of
rc.apparmor.functions. When the unit and rc.apparmor.functions functions
were rewritten, they were written so that SFS_MOUNTPOINT was only set in
is_apparmor_loaded(), but this is only called in apparmor_start(),
remove_profiles(), apparmor_kill(), apparmor_restart(), apparmor_try_restart()
and apparmor_status() and not is_container_with_internal_policy().
While it is clear that is_container_with_internal_policy() is meant to
be called before apparmor_start(), is is unclear why SFS_MOUNTPOINT is
only defined in is_apparmor_loaded(). There are several ways to fix
this:
1. update is_container_with_internal_policy() to call is_apparmor_loaded()
2. identify the callers of is_container_with_internal_policy() and have
them call is_apparmor_loaded()
3. reorganize the code to remove duplicate calls and assignments
4. define SFS_MOUNTPOINT along with SECURITYFS and MODULE, at the top
level
5. also define SFS_MOUNTPOINT in is_container_with_internal_policy()
'1' would result in redundant calls in many common cases since the
systemd unit would call is_apparmor_loaded() both in
is_container_with_internal_policy() and prior to other calls.
'2' would like break consumers of rc.apparmor.funcions, like
Debian/Ubuntu's profile-load.
'3' is perhaps ok, but requires more effort and is regression-prone.
'4' seems the simplest, most correct fix
'5' is what this patch implements, which is as simple as '4' but tries
to maintain the original author's intent of when to set SFS_MOUNTPOINT.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/363
Signed-off-by: Jamie Strandboge <jamie@strandboge.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add a target to install build dependencies for the apparmor regression
tests. Currently supports Ubuntu and Debian distros.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The translated action character for Deny conflicted with the
untranslated action character for Finish in the Swedish translation.
Remote it, and hope for more action translations.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
