- make table of contents, footnotes etc. clickable hyperlinks
- use timestamp of techdoc.tex (instead of build time) as creationdate
in the PDF metadata
- don't include build date on first page of the PDF
- make clean:
- delete techdoc.out (created by pdftex)
- fix deletion of techdoc.txt (was techdo_r_.txt)
The initial target was to get reproduceable PDF builds (therefore the
timestamp-related changes), the other things came up during discussing
this patch with David Haller.
The only remaining difference in the PDF from build to build is the /ID
line. This line can't be controlled in pdflatex and is now filtered
out by build-compare in the openSUSE build service (bnc#760867).
Credits go to David Haller for writing large parts of this patch
(but he didn't notice the techdo_r_.txt ;-)
Signed-Off-By: Christian Boltz <apparmor@cboltz.de>
* the application, library, documentation and installation script
* the initial templates and policy groups. This will undoubtedly need
refinement as we get feedback from users. Initial policy is based on Ubuntu's
Application Review Board (ARB) requirements[2].
* tests for the library
* Makefile integration
Templates are stored in /usr/share/apparmor/easyprof/templates and policy
groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via
/etc/apparmor/easyprof.conf.
The aa-easyprof.pod has complete documentation on usage with some
additional information in utils/easyprof/README (mostly duplicated
here).
Testing can be performed in a number of ways:
$ cd utils ; make check # runs unit tests and pyflakes
Unit tests manually:
$ ./test/test-aa-easyprof.py
In source manual testing:
$ ./aa-easyprof --templates-dir=./easyprof/templates \
--policy-groups-dir=./easyprof/policygroups \
... \
/opt/foo/bin/foo
Post-install manual testing:
$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
$ cd /tmp/test
$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
--templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
/opt/bin/foo
(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
specifying --templates-dir and --policy-groups-dir).
Committing this now based on conversation with John and Steve.
Acked-By: Jamie Strandboge <jamie@canonical.com>
the chromium and chrome sandboxes are setuid root, they only link in limited
libraries so glibc's secure execution should be enough to not require the
santized_helper (ie, LD_PRELOAD will only use standard system paths (man
ld.so)). Also allow some paths in /opt for Chrome.
Ubuntu-Bug: https://launchpad.net/bugs/964510
Acked-By: Jamie Strandboge <jamie@canonical.com>
sanitized_helper. For now this only allows software-center scripts in
/usr/share, but we may need to increase what is allowed in /usr/share if more
things are denied when they shouldn't be.
Ubuntu-Bug: https://launchpad.net/bugs/972367
Acked-By: Jamie Strandboge <jamie@canonical.com>
$CPPFLAGS. Additionally, do not repeat compiler flags for automake
targets that already include them, and pass more flags to the Perl build.
Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.
This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.
Bug: https://launchpad.net/bugs/982619
access to /proc/*/attr/{current,exec}, the onexec testcase that
attempted to do things without explicit access granted to
/proc/*/attr/exec in the testsuite passes instead of fails. This commit
takes that into account.
http://bugs.launchpad.net/bugs/979135
Currently a change_profile rule does not grant access to the
/proc/<pid>/attr/{current,exec} interfaces that are needed to perform
a change_profile or change_onexec, requiring that an explicit rule allowing
access to the interface be granted.
Make it so change_profile implies the necessary
/proc/@{PID}/attr/{current,exec} w,
rule just like the presence of hats does for change_hat
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
http://bugs.launchpad.net/bugs/968956
The parser is incorrectly generating network rules for kernels that can
not support them. This occurs on kernels with the new features directory
but not the compatibility patches applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This fix is needed for the userspace portion of both
BugLink: http://bugs.launchpad.net/bugs/963756
BugLink: http://bugs.launchpad.net/bugs/978038
change_onexec fails for profiles that don't have an attachment specification
eg. unconfined
This is because change_onexec goes through 2 permission checks. The first
at the api call point, which is a straight match of the profile name
eg.
/bin/foo
unconfined
and a second test at exec time, tying the profile to change to to the
exec. This allows restricting the transition to specific execs. This
is mapped as a two entry check
/executable/name\x00profile_name
where the executable name must be marked with the change_onexec permission
and the subsequent profile name as well.
The previous "fix" only covered adding onexec to executable names and
also works for the initial change_onexec request when the profile is
an executable.
However it does not fix the case for when the profile being transitioned
to is not an executable.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This extends the auto-profile generation so that it can take profiles formated
in standard profile language augemented by a few special variables for
the automatically generated rules. This will all extended the regression
tests in ways that are not currently supported, because mkprofile format
does not match of the profile language.
the special apparmorish variables are
@{gen_elf name} - generate rules for elf binaries
@{gen_bin name} - generate rules for a binary
@{gen_def} - generate default rules
@{gen name} - do @{gen_def} @{gen_bin name}
To generate a profile you do
genprofile --stdin <<EOF
/profile/name {
@{gen /profile/name}
}
EOF
eg. to generate the equivalent of
genprofile
you would do
genprofile --stdin <<EOF
$test {
@{gen $test}
}
EOF
and the equiv of
genprofile $file:rw
would be
genprofile --stdin <<EOF
$test {
@{gen $test}
$file rw,
}
while it takes a little more to generate a base profile than the old syntax, it
use the actual profile language (augmented with the special variables), it is a
lot more flexible, and a lot easier to expand when new rule types are added.
eg. of something not possible with the current auto generation
Generate a profile with a child profile and hat and a trailing profile
genprofile --stdin <<EOF
$test {
@{gen $test}
profile $bin/open {
@{gen $bin/open}
}
^hatfoo {
$file rw,
}
}
profile $bin/exec {
@{gen $bin/exec}
}
EOF
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
manpages (and adjust it so that it's one rule instead of eight). It
also fixes the above problem and a similar problem in the aa-exec
manpage.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826https://bugzilla.novell.com/show_bug.cgi?id=755923
This patch modifies the libapparmor log parsing code to add support
for the additional ip address and port keywords that can occur in
network rejection rules. The laddr and faddr keywords stand for local
address and foreign address respectively.
The regex used to match an ip address is not very strict, to hopefully
catch the formats that the kernel emits for ipv6 addresses; however,
because this is in a context triggered by the addr keywords, it should
not over-eagerly consume non-ip addresses. Said addresses are returned
as strings in the struct to be processed by the calling application.
Bug: https://launchpad.net/bugs/800826
This patch calls autodep on the 'exec'ed binary when the user selects
to place that execution in a child profile. Previously, logprof would
create an entirely empty child profile in complain mode (this fix
still leaves the child profile in complain mode).
This patch fixes a couple of issue with autodep:
1) The initial profile construction had not been adjusted to include
the 'allow' or 'deny' hash prefixing the path elements. This
fixes it by eliminating the path portion entirely and pushing
the path based accesses to the later analysis section of code.
2) the mode of the original binary was accidentally getting reset
to 0, when it was intended to initialize the audit field to 0.
Bug #963756
The kernel has an extended test for change_profile when used with
onexec, that allows it to only work against set executables.
The parser is not correctly mapping change_profile for this test
update the mapping so change_onexec will work when confined.
Note: the parser does not currently support the extended syntax
that the kernel test allows for, this just enables it to work
for the generic case.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The capabilities tests where failing in the changehat_wrapper test. This was because
they could not the changehat_wrapper sub executable, which trying to exec a binary
in the tmpdir.
Specifically if the test was for syscall_ptrace. It would generate a profile with
a hat for ^syscall_ptrace and attempt to execute ./syscall_ptrace. However this
was failing in some situations, including when trying to debug from the tmpdir,
as the syscall_XXX binary is no longer local.
Instead use the fully qualified path for the hat name, and the exec path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The retaining of the tmpdir is used during debugging of test failures, but currently
when a test fails, the next test is run overwritting the previous tmpdir value. This
is a problem even when manually running individual test shell scripts if the failure
is not the last test in the script.
Instead cause testing to about when retaintmpdir is true, which will cover the debugging
needs for the majority of failure cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch adds a make install target for the generated apparmor.vim
file, installing by default into /usr/share/apparmor based on IRC
discussions; alternate suggestions welcome. (Installing directly
into the vim syntax tree is difficult as the system path by default
contains the vim version number.)
This patch replaces the apparmor.vim generating script with a python
version that eliminates the need for using the replace tool from the
mysql-server package. It makes use of the automatically generated
lists of capabilities and network protocols provided by the build
infrastructure. I did not capture all the notes and TODOs that
Christian had in the shell script; I can do so if desired.
It also hooks the generation of the apparmor.vim file into the utils/
build and clean stages.
This patch adds several missing capabilities to the utils/
severity.db file as detected by the newly added make check target,
along with corresponding severity levels that I believe :re appropriate
(discussion welcome):
CAP_MAC_ADMIN 10
CAP_MAC_OVERRIDE 10
CAP_SETFCAP 9
CAP_SYSLOG 8
CAP_WAKE_ALARM 8
The latter two are undocumented in the capabilities(7) man page
provided in Ubuntu 12.04; the syslog one is the separation out of
accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM
allows setting alarms that would wake a system from a suspended state,
if my reading is correct.
This also fixes a trailing whitespace on CAP_CHOWN, moves
CAP_DAC_READ_SEARCH to the end of the section of capabilities it's
in due to its lower priority level (7).
capabilities
This patch adds a new make target, check_severity_db, to the
utils/Makefile. It greps the severity.db for the presence of each
capability, as computed by the newly abstracted out variable in
common/Make.rules, and issues a build time error if it finds any
missing.
It also silences the check targets, so that only the output from them
will be emitted.
This patch abstracts out the generation of the lists of capabilities
and network protocol names to the common Make.rules file that is
included in most locations in the build tree, to allow it to be
re-used in the utils/ tree and possibly elsewhere.
It provides the lists in both make variables and as make targets.
It also sorts the resulting lists, which causes it to output differently
than the before case. I did confirm that the results for the generated
files used in the parser build were the same after taking the sorting
into account.
