deny writes to upstart user sessions jobs in abstractions/private-files
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
the 2.8 branch.
Original commit message:
committer: Jamie Strandboge <jamie@canonical.com>
Initial port to python3 for utilities. Thanks to Dmitrijs Ledkovs
Acked-By: Jamie Strandboge <jamie@canonical.com>
Most of trunk r2052 also applies to the 2.8 branch. The only difference
is the last section of changes in utils/vim/create-apparmor.vim.py
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Skimmed-by: Seth Arnold <seth.arnold@canonical.com>
file is larger than the feature buffer used for cache version comparison.
Ideally this would be dynamically allocated but for 2.8 just bumping the
buffer size is the quick fix.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Also deny capability block_suspend because nobody can imagine why it
would be needed.
References: https://bugzilla.novell.com/show_bug.cgi?id=807104
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backport of trunk r2109)
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from trunk commit 2102
Original message:
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
time formats. As this is causing failures on some systems
currently the only supported format is
<Month> ## hh:mm:ss
extend this to
<Month> ## hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-dd hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-ddThh:mm:ss(.ms)?((+|-)timezone)?
Merge from trunk commit 2077
Original message:
Subject: aa-decode test script v3
This patch adds a test script/driver for the aa-decode utility. The only
change from the previous versions is to support overriding the location
of the aa-decode to test via the APPARMOR_DECODE environment variable
and documenting the utils/ tests in the top level README.
The aa-decode test can be run directly from the commandline in the utils
directory like so:
test/test-aa-decode.py -v
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
release. In this merge are the following trunk commits:
2050 - parser - network rules debugging statements
2057 - update ubuntu-browsers.d/java for IcedTea 7
2058 - let sanitized-helper also allow access to /usr/local
2059 - ubuntu-integration does not work properly with exo-open
2062 - support alternate ping install location in /usr
2064 - parser - update apparmor_parser man page
2065 - parser - correct apparmor_parser -N command privilege
2066 - parser - *just* the updated caching test message from this commit
2065.1.1 - profiles update fonts abstraction for new fontconfig paths
2065.1.{3,4} - profiles - Gnome applications are now quite interested
in reading /usr/share/poppler/cMap/**
2069 - profiles - update extras README with mail list info
2074 - tests - fix clone test on arm
2076 - parser tests - fix test driver for exec() failure
2079 - libapparmor - add pkgconfig support
2083 - parser tests - fix fine grained timestamp detection in caching tests
2090 - nvidia abstractions cleanups
2092 - update skype profile
2093 - add XCompose to abstractions/X
2096 - dnsmasq network-manager integration
Merge from trunk commit 2093
Original message:
Subject: profiles - add user's XCompose file to X abstraction
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2092 (w/ dropping the last modified timestamp
entirely)
Original message:
Subject: profiles - update skype profile
Author: Jamie Strandboge <jamie@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes
This is a very slightly updated version of the skype profile
update that Jamie Strandboge submitted, but did not get a review.
The only addition over the previously submitted version is rw access
to @{HOME}/.config/Skype/Skype.conf.
(This commit incorporates the additional @{HOME}/.kde4 change proposed
by Christian Boltz <apparmor@cboltz.de>)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2090
Original message:
Subject: profiles - nvidia abstraction cleanups
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
caching tests
Merge from trunk commit 2083
Original message:
This patch modifies the parser's caching test to more accurately detect
whether or not the filesystem has a fine enough timestamp resolution.
Occasionally even on filesystems like ext3, the two files' creation
dates would differ when created less than a second apart, which would
typically cause the 'Cache is used when cache is newer' test to fail
because the cached file would have the same timestamp as the profile.
The fix creates 10 files 0.1 seconds apart and ensures that all ten
have distinct timestamps.
(The occasional failure was caught in testing runs like
https://bugs.launchpad.net/qa-regression-testing/+bug/1087061/ )
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk commit 2079
Original message:
Given that we want to do more apparmor things in user space (dbus
mediation, file picker, etc.), making it easier for other source bases
to detect the presence of libapparmor would be beneficial. This patch
adds pkg-config support to the build infrastructure for libapparmor.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk commit 2076
Original message:
Subject: two fixes to the parser's simple test driver
This patch fixes two issue with the simple test driver. The first is
that child exec that actually ran the parser was located inside the
eval statement. This meant that if the exec failed for some reason
(like the parser didn't exist), the child wouldn't actually die,
but would pop out of the eval and continue running through the loop
of test profiles (while the parent process does the same). This meant
that if the script ran on the full testsuite with a misconfiguration,
it would explode creating O(n^2) processes, where n is the number of
testcase files -- with over 25k testcases, that's a lot. The fis is to
lift the child exec outside the eval{}, then an exec() failure causes
the child process to die correctly.
The second fix is that several of the testcases were added with the
DESCRIPTION field added in lower case (i.e. #=Description blah blah).
This fix makes the regex that pulls out the description not be
case-sensitive.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk commit 2074.
Original message:
apparmor: Fix clone test on quantal arm omap-4
It turns out that PAGE_SIZE isn't defined on all architectures.
This fixes a regression test failure happening on Ubuntu quantal
on the arm ti-omap4 architecture.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge mailing list update from profiles/apparmor/profiles/extras/README
in trunk commit 2069.
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
/usr/share/poppler/cMap/**
Merge from trunk commit 2065.1.3
Original message:
Gnome applications are now quite interested in reading
/usr/share/poppler/cMap/**. These files are included in the poppler-data
package on Ubuntu, and their 'r' denials create quite a bit of noise.
Apparently they are needed to display PDF documents containing CJK
characters with libpoppler. I added it to the gnome abstraction because
several applications not linked against poppler are consulting this
data.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2065.1.1.
Original message:
update fonts abstraction for new fontconfig paths
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from just the parser/tst/caching.sh portion of trunk commit 2066.
Original message:
apparmor: abstract out the directory walking routine
The apparmor_parser has 3 different directory walking routines.
Abstract
them out and use a single common routine.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
apparmor: correct apparmor_parser -N command privilege
Fix the apparmor_parsers -N command (which dumps the list of profile
names found in a policy file) to be available without privilege and
also make it be recognized as a command instead of an option so that
it can conflict with -a -r -R -S and -o.
Currently it can be specified with these commands but will cause the
parser to short circuit just dumping the names and not doing the actual
profile compile or load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
apparmor: update apparmor_parser man page
Rework and update the apparmor_parser man page. It reworks some of the
text but mostly just reorganizes the commands and options into logical
grouping to make it easier to sort out how the various commands and
options work.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
/bin/ping moved to /usr/bin/ping on openSUSE (usrMerge)
Update the profile to make sure it's still used.
Acked-by: John Johansen <john.johansen@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
Author: Mark Ramsell <mramsell@qazonline.net>
Description: ubuntu-integration does not work properly with exo-open
Bug-Ubuntu: https://launchpad.net/bugs/987578
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
Description: let sanitized-helper also allow access to /usr/local.
Patch based on work by Reuben Thomas
Bug-Ubuntu: https://launchpad.net/bugs/1013887
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original Message:
While integrating 3.4-rc1, I ran into a problem where network rules
weren't being processed. It ultimately boiled down to a kernel
issue but I found it useful to see what the parser thought it was
working with. Since the parser already has a debugging mode that
will show things like capabilities, it was an obvious extension to
add network rules.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-By: John Johansen (up to r2072)
Acked-by: Steve Beattie <sbeattie@ubuntu.com> (including r2088)
In detail, the changes are (bzr log from trunk):
------------------------------------------------------------
revno: 2088
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2013-01-01 20:15:04 +0100
message:
speed up aa-decode by using a bash regex matching instead of calling egrep for each line.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(Patch sent 2012-11-01, Acked-by from 2013-01-01)
------------------------------------------------------------
revno: 2072
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2012-10-16 00:19:49 +0200
message:
Fix aa-decode handling of stdin
Handling stdin was totally broken (= no output) with the current log
format because aa-decode expected name= to be the last entry in the
log line.
This patch for stdin handling
- fixes the pattern to match the current log format (name= is NOT the
last part in the log entry)
- uses bash replacement to avoid some sed calls (which also means the
script now needs an explicit "#!/bin/bash")
- prints decoded filenames in double instead of single quotes to be
consistent with filenames that were not encoded
- also prints lines that do not contain an encoded filename (instead of
grepping them away)
- replace tr calls by perl's uc() (also for non-stdin mode)
- also handle encoded profile names (introduced by Steve)
- don't fail if a file or profile name contains a '
In other words: you can pipe your audit.log through aa-decode, and the
only difference to the raw audit.log is that filenames are decoded.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
------------------------------------------------------------
revno: 2068
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Mon 2012-09-17 23:55:28 +0200
message:
fix error handling in aa-decode
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Looks-Good-By: ;-) Seth Arnold <seth.arnold@gmail.com>
------------------------------------------------------------
chance to run before verifying it's current and future confinement
state. In testing the combined sleeps added roughly a second to
onexec.sh's total time on relatively reasonable hardware.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com> (via IRC)
Hats/children profiles are used.
the matchflags in the dfa backend are not getting properly reset, which
results in a previously processed profiles match flags being used. This is
not a problem for most permissions but can result in x conflict errors.
Note: this should not result in profiles with the wrong x transitions loaded
as it causes compilation to file with an x conflict.
This is a minimal patch targeted at the 2.8 release. As such I have just
updated the delete_ruleset routine to clear the flags as it is already
being properly called for every rule set.
Apparmor 2.9/3.0 will have a different approach where it is not possible
to reuse the flags.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
- It failed to remove coredump files named "core"
- It failed to properly detect "core.<pid>" files
- And it would fail if the coredump_pattern had been modified to
a different location.
This lead one of the tests to report it was passing when it
wasn't because it was detecting the previous tests core file.
- Fix the test to set the coredump_pattern, to dump into the
tmpdir used for the test.
- Make it so it will only detect the core file for the pid of
the last test run.
- And extend the test to have a couple of extra test cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Add the ability to clear out the binary profile cache. This removes the
need to have a separate script to handle the logic of checking and
removing the cache if it is out of date.
The parser already does all the checking to determine cache validity
so it makes sense to allow the parser to clear out inconsistent cache
when it has been instructed to update the cache.
Signed-off-by: John Johnansen <john.johansen@canonical.com>
serious flaw. The test for the network flag was being applied against both
the kernel flags and the cache flags. This means that if either the kernel
or the cache did not have the flag set then network mediation would be
turned off.
Thus if a kernel was booted without the flag, and a cache was generated
based on that kernel and then the system was rebooted into a kernel with
the network flag present, the parser on generating the new policy would
detect the old cache did not support network and turn it off for the
new policy as well.
This can be fixed by either removing the old cache first or regenerating
the cache twice. As the first generation will write that networking is
supported in the cache (even though the policy will have it disabled), and
the second generation will generate the correct policy.
The following patch moves the test so that it is only applied to the kernel
flags set.
Signed-off-by: John Johansen <john.johansen@canonical.com>
compatibility interface. Previously it was assuming that if the compatibility
interface was present that network rules where also present, this is not
necessarily true and causes apparmor to break when only the compatibility
patch is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
create-apparmor.vim.py was failing on systems with python 2.5, fix that
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
