2.11/2.10: is_skippable_dir(): add 'cache.d' to exclude list
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8)
While this isn't strictly needed for 2.10 or 2.11 userspace, it makes testing these branches easier ;-)
I propose this cherry-pick for 2.11 (= this merge request) and 2.10.
https://gitlab.com/apparmor/apparmor/merge_requests/222
Acked-by: John Johansen <john.johansen@canonical.com>
make 2.11 utils tests green
- switch minitools_test.py to a profile without alternation
- remove non-failing tests from unknown_line exception
- exclude several #include "does not exist" examples
PR: https://gitlab.com/apparmor/apparmor/merge_requests/220
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 1fb9acc59e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit f76a718f28)
80e98f2d Update usr.sbin.nmbd & usr.sbin.smbd
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e0451 / !202 to
2.11 (with some adjustments because that commit didn't appy cleanly)
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8c6)
bare_include_tests/ok_30.sd and ok_31.sd don't fail with the 2.11 tools.
Remove them from the unknown_line exception.
(Interestingly newer branches fail on these tests, but I didn't check why.)
These tests were added with the cherry-picked commit 4184b0c363
They are expected to fail, but don't fail with the 2.11 tools because
the regex only matches #include <...> which means #include "..."
is considered to be a comment.
Remove accidently added text from utils/po/Makefile
See merge request apparmor/apparmor!217
Acked-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit fa82a51523)
15770576 Remove accidently added text from utils/po/Makefile
Qt GUI applications that uses "platforminputcontexts"-class of plugins
might need reading and/or writing compose cache. Add read-only rule in
qt5 abstraction and create new writing dedicated for compose cache
writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 67816c42cf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 69c4cabb93)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add @{uid} and @{uids} variables to allow migrating profiles in advance
while awaiting path mediation implementation, based on current user id,
in kernel side.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/208
(cherry picked from commit cba10db7e7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions part ii
- abstractions/private-files: disallow access to the dirs of private files
- private-files{,-strict}: disallow writes to parent dirs too
- user-files: disallow writes to parents dirs
PR: https://gitlab.com/apparmor/apparmor/merge_requests/206
Signed-off-by: John Johansen <john.johansen@canonical.com>
gio-launch-desktop helper tries to execute /usr/bin/thunderbird wrapper
script, not the /usr/lib/thunderbird... directly.
Add rule allowing to execute /usr/bin/thunderbird.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/204
(cherry picked from commit cee9527fa8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
* Add -bin suffix to reach new Thunderbird executable.
(cherry picked from commit 7546413b43)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions
remove antiquated abstractions/launchpad-integration
abstractions/private-files-strict: disallow access to the dirs of private files
abstractions/private-files: disallow writes to thumbnailer dir (LP: #1788929)
ubuntu-browsers.d/user-files: disallow access to the dirs of private files
Nominating launchpad-integration and opencl-nvidia for 2.13. Nominating private-files-strict, private-files and user-files for 2.10 and higher
PR: https://gitlab.com/apparmor/apparmor/merge_requests/203
Signed-off-by: John Johansen <john.johansen@canonical.com>
add zsh to logprof.conf
See merge request apparmor/apparmor!201
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 7e22b0a894)
00871696 add zsh to logprof.conf
Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
(cherry picked from commit 5bc7a9fbd6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Move README to README.md to provide better integration with gitlab
and sync changes from master branch so we have badges, build info
etc.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch supports rolling a tarball for a release, as well as doing
'make tag'. Only stuff that's been committed should get incorporated
into the tarball.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0b719e4f86)
The URL redirect ends up at a page in the new wiki that doesn't exist.
We have to link directly to the gitlab URL here since the current URL
redirect doesn't let us use a wiki.apparmor.net URL and still reach the
expected Profiles page.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
When running aa-genprof in a lxd instance, printk_ratelimit is readonly
and writing to it fails. Instead of crashing with a backtrace, only
print a warning.
References: https://bugs.launchpad.net/apparmor/+bug/1785391
(cherry picked from commit 961e69afe5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Each coverity command writes its debugging output to
cov-int/build-log.txt, which means that multiple runs of cov-build
overwrite previous logs, resulting in only the last invocation's output
remaining at the end of the build, making debugging why failures to
capture coverity output difficult. Fix this by renaming the build-log to
per-directory log files.
(This would still be an issue even if we had a single build command
for the entire tree, as capturing python and other interpreted
files requires a second invocation of cov-build to scan for those
file types.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/145
(cherry picked from commit fed101920b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow /usr/local/lib/python3/dist-packages in abstractions/python
See merge request apparmor/apparmor!160
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 763a6787d8)
6a10f076 Allow /usr/local/lib/python3/dist-packages in abstractions/python
use_group is only honored if it is defined.
The "real" permission check is reading the logfile - the group check
in aa-notify is just an annoying additional check, and the default
"admin" only works on Ubuntu (other distributions typically use
"wheel").
This commit comments out use_group in the default config, which allows
everybody to use aa-notify. Permissions for reading the log file are of
course still needed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/82
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1058787
(cherry picked from commit 86ec3dd658)
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
