Subject: perl-apparmor: Properly handle bare 'file' keyword
References: bnc#889652
The bare file keyword is a shortcut for /{**,}. There are also implied
permissions that go with it.
This patch accepts the file keyword as well as allowing for missing mode
specifiers.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Subject: perl-apparmor: Handle bare 'capability' keyword
References: bnc#889651
Specifying 'capability' implies all capabilities, but the perl code didn't
recognize it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Subject: perl-apparmor: Fix bare 'network' keyword handling
References: bnc#889650
The 'network' bare keyword was being printed as "audit network all" due to
two different bugs:
1) {audit}{all} was always being set to 1, regardless of whether the audit
keyword was used
2) {rule} eq 'all' is the wrong test - it should be {rule}{all}
With these fixed, 'network' is properly handled.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Merge from trunk rev 2564.
This patch adds the new capability CAP_AUDIT_READ, added in the 3.16
kernel, to the utils severity.db. I set the severity level at 7,
since it seemed to offer less exposure than CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE, which are both considered severity 8.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
example with LANG=pt_BR) because a regex relies on netstat output.
Enforce LANG=C to make sure aa-unconfined always sees the expected output.
Acked-by: Steve Beattie <steve@nxnw.org>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
Patch by Kshitij Gupta <kgupta8592@gmail.com>
A previous bugreport [1] was fixed using the smartmatch operator,
which raised the minimum Perl version requirement to >=5.10.1 .
However in Perl5.18 the smartmatch operator has again become
"experimental" [2] so the following patch replace smartmatch operator
with grep and thereby avoiding the requirement hike and avoiding
warnings.
[1] https://bugs.launchpad.net/apparmor/+bug/1180230
[2] http://blogs.perl.org/users/mike_b/2013/06/a-little-nicer-way-to-use-smartmatch-on-perl-518.html
ACKed-by: Christian Boltz <apparmor@cboltz.de>
and Glob with Ext putting duplicate entries in the list.
The fix introduced a Perl 5.10.1 or higher dependency, so start documenting
minimum required versions of packages.
Acked-By: Christian Boltz <apparmor@cboltz.de>
the 2.8 branch.
Original commit message:
committer: Jamie Strandboge <jamie@canonical.com>
Initial port to python3 for utilities. Thanks to Dmitrijs Ledkovs
Acked-By: Jamie Strandboge <jamie@canonical.com>
Most of trunk r2052 also applies to the 2.8 branch. The only difference
is the last section of changes in utils/vim/create-apparmor.vim.py
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Skimmed-by: Seth Arnold <seth.arnold@canonical.com>
Merge from trunk commit 2077
Original message:
Subject: aa-decode test script v3
This patch adds a test script/driver for the aa-decode utility. The only
change from the previous versions is to support overriding the location
of the aa-decode to test via the APPARMOR_DECODE environment variable
and documenting the utils/ tests in the top level README.
The aa-decode test can be run directly from the commandline in the utils
directory like so:
test/test-aa-decode.py -v
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Acked-By: John Johansen (up to r2072)
Acked-by: Steve Beattie <sbeattie@ubuntu.com> (including r2088)
In detail, the changes are (bzr log from trunk):
------------------------------------------------------------
revno: 2088
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2013-01-01 20:15:04 +0100
message:
speed up aa-decode by using a bash regex matching instead of calling egrep for each line.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(Patch sent 2012-11-01, Acked-by from 2013-01-01)
------------------------------------------------------------
revno: 2072
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2012-10-16 00:19:49 +0200
message:
Fix aa-decode handling of stdin
Handling stdin was totally broken (= no output) with the current log
format because aa-decode expected name= to be the last entry in the
log line.
This patch for stdin handling
- fixes the pattern to match the current log format (name= is NOT the
last part in the log entry)
- uses bash replacement to avoid some sed calls (which also means the
script now needs an explicit "#!/bin/bash")
- prints decoded filenames in double instead of single quotes to be
consistent with filenames that were not encoded
- also prints lines that do not contain an encoded filename (instead of
grepping them away)
- replace tr calls by perl's uc() (also for non-stdin mode)
- also handle encoded profile names (introduced by Steve)
- don't fail if a file or profile name contains a '
In other words: you can pipe your audit.log through aa-decode, and the
only difference to the raw audit.log is that filenames are decoded.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
------------------------------------------------------------
revno: 2068
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Mon 2012-09-17 23:55:28 +0200
message:
fix error handling in aa-decode
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Looks-Good-By: ;-) Seth Arnold <seth.arnold@gmail.com>
------------------------------------------------------------
create-apparmor.vim.py was failing on systems with python 2.5, fix that
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
* the application, library, documentation and installation script
* the initial templates and policy groups. This will undoubtedly need
refinement as we get feedback from users. Initial policy is based on Ubuntu's
Application Review Board (ARB) requirements[2].
* tests for the library
* Makefile integration
Templates are stored in /usr/share/apparmor/easyprof/templates and policy
groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via
/etc/apparmor/easyprof.conf.
The aa-easyprof.pod has complete documentation on usage with some
additional information in utils/easyprof/README (mostly duplicated
here).
Testing can be performed in a number of ways:
$ cd utils ; make check # runs unit tests and pyflakes
Unit tests manually:
$ ./test/test-aa-easyprof.py
In source manual testing:
$ ./aa-easyprof --templates-dir=./easyprof/templates \
--policy-groups-dir=./easyprof/policygroups \
... \
/opt/foo/bin/foo
Post-install manual testing:
$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
$ cd /tmp/test
$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
--templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
/opt/bin/foo
(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
specifying --templates-dir and --policy-groups-dir).
Committing this now based on conversation with John and Steve.
Acked-By: Jamie Strandboge <jamie@canonical.com>
When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.
This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.
Bug: https://launchpad.net/bugs/982619
manpages (and adjust it so that it's one rule instead of eight). It
also fixes the above problem and a similar problem in the aa-exec
manpage.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This patch calls autodep on the 'exec'ed binary when the user selects
to place that execution in a child profile. Previously, logprof would
create an entirely empty child profile in complain mode (this fix
still leaves the child profile in complain mode).
This patch fixes a couple of issue with autodep:
1) The initial profile construction had not been adjusted to include
the 'allow' or 'deny' hash prefixing the path elements. This
fixes it by eliminating the path portion entirely and pushing
the path based accesses to the later analysis section of code.
2) the mode of the original binary was accidentally getting reset
to 0, when it was intended to initialize the audit field to 0.
This patch adds a make install target for the generated apparmor.vim
file, installing by default into /usr/share/apparmor based on IRC
discussions; alternate suggestions welcome. (Installing directly
into the vim syntax tree is difficult as the system path by default
contains the vim version number.)
This patch replaces the apparmor.vim generating script with a python
version that eliminates the need for using the replace tool from the
mysql-server package. It makes use of the automatically generated
lists of capabilities and network protocols provided by the build
infrastructure. I did not capture all the notes and TODOs that
Christian had in the shell script; I can do so if desired.
It also hooks the generation of the apparmor.vim file into the utils/
build and clean stages.
This patch adds several missing capabilities to the utils/
severity.db file as detected by the newly added make check target,
along with corresponding severity levels that I believe :re appropriate
(discussion welcome):
CAP_MAC_ADMIN 10
CAP_MAC_OVERRIDE 10
CAP_SETFCAP 9
CAP_SYSLOG 8
CAP_WAKE_ALARM 8
The latter two are undocumented in the capabilities(7) man page
provided in Ubuntu 12.04; the syslog one is the separation out of
accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM
allows setting alarms that would wake a system from a suspended state,
if my reading is correct.
This also fixes a trailing whitespace on CAP_CHOWN, moves
CAP_DAC_READ_SEARCH to the end of the section of capabilities it's
in due to its lower priority level (7).
capabilities
This patch adds a new make target, check_severity_db, to the
utils/Makefile. It greps the severity.db for the presence of each
capability, as computed by the newly abstracted out variable in
common/Make.rules, and issues a build time error if it finds any
missing.
It also silences the check targets, so that only the output from them
will be emitted.
The aa-exec command can be used to launch an application under a specified
confinement, which may be different for what regular profile attachment
would apply.
Signed-off-by: John Johansen <john.johansen@canonical.com>
capabilities). The rule will be marked in the "dangerous capability"
color.
Additionally, the patch removes the (already commented out) code for
"set capability".
Acked-by: Kees Cook <kees@ubuntu.com>
When running installing apparmor-utils from Makefile, some warnings are
generated: make[1]: warning: jobserver unavailable: using -j1. Add
`+' to parent make rule.
Use $(MAKE) instead of make
Signed-off-by: John Johansen <john.johansen@canonical.com>
If $DISPLAY is not set and --display is not used, aa-notify prints a
warning that notifications won't be shown (exact warning text depends if
using sudo or not).
Acked-by: John Johansen <john.johansen@canonical.com>
- set HOME (and DISPLAY) only once on startup to avoid NSS lookups
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <opensuse@cboltz.de>
openSUSE, which results in non-working desktop notifications in aa-notify
because $notify_exe is unable to connect to DBUS to display the message.
This patch sets the correct value for $HOME.
The code for setting $DISPLAY is still under discussion, therefore only
a TODO note is included in this commit for $DISPLAY.
Acked-By: John Johansen <john.johansen@canonical.com>
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Resolved merge conflict and removal operation already supported by
the log parser.
Acked-by: John Johansen <john.johansen@canonical.com>
