Sometimes network events come with an operation keyword looking like
file_perm which makes them look like file events. Instead of ignoring
these events (which was a hotfix to avoid crashes), improve the type
detection.
In detail, this means:
- replace OPERATION_TYPES (which was basically a list of network event
keywords) with OP_TYPE_FILE_OR_NET (which is a list of keywords for
file and network events)
- change op_type() parameters to expect the whole event, not only the
operation keyword, and rebuild the type detection based on the event
details
- as a side effect, this simplifies the detection for file event
operations in parse_event_for_tree()
- remove workaround code from parse_event_for_tree()
Also add 4 new testcases with log messages that were ignored before.
References:
a) various bugreports about crashes caused by unexpected operation keywords:
https://bugs.launchpad.net/apparmor/+bug/1466812https://bugs.launchpad.net/apparmor/+bug/1509030https://bugs.launchpad.net/apparmor/+bug/1540562https://bugs.launchpad.net/apparmor/+bug/1577051https://bugs.launchpad.net/apparmor/+bug/1582374
b) the summary bug for this patch
https://bugs.launchpad.net/apparmor/+bug/1613061
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.10.
This should solve the "overlapping rules with conflicting 'x'
modifiers" problem (introduced with r3594) entirely.
The other options I could think of were:
* ix → Pix, adjust all profiles that do 'ix' accordingly, and leave
alone those that do Pix already; downsides: requires updating quite
a few profiles all around the place, and breaks a mere "file," rule;
* ix → Pix, adjust all profiles that do 'ix' accordingly, and change
the "file," rule semantics to imply Pix; downside: very intrusive,
and likely to break random existing policy in ways that are hard
to predict;
* stick to ix, and adjust all profiles that do anything else with
overlapping rules, to do ix instead; downside: in some cases this means
removing the 'P' modifier, which can cause regressions in how we confine
stuff.
I've looked up in the bzr history to understand why execution rights
would be needed, and… the answer predates the move to bzr.
Looking into the SVN history, if it's even available anywhere, is
a bit too much for me, so I've tested this change and the few
applications I've tried did not complain. Of course, more testing will
be needed.
Having consistent x modifiers in this abstraction is needed
to allow profiles including abstractions/base to apply x rules
overlapping with several of the rules from the base abstraction.
E.g. one may need to have rules applying to /**, for example because
a mere "file," conflicts with the ix→Pix change I did in r3596.
netstat -nlp46 output:
raw6 0 0 :::58 :::* 7 1326/NetworkManager
which when asking netstat to display name resolution ends up being:
raw6 0 0 [::]:ipv6-icmp [::]:* 7 1326/NetworkManager
Of course, aa-unconfined doesn't show this, the following patch adds
that, by adding the raw keyword as an alternative to tcp|udp and
accepting a number as an alternative to LISTEN.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
On servers with not too much memory ("only" 16 GB), dovecot logins fail:
Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)
audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456
After allowing capability sys_resource, dovecot can increase the limit
and works again.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
Storing these event details depending on the operation type only makes
things more difficult because it's hard to differenciate between file
and network events.
Note that this happens at the first log parsing stage (libapparmor log
event -> temporary python array) and therefore doesn't add a serious
memory footprint. The event tree will still only contain the elements
relevant for the actual event type.
This change means that lots of testcases now get 3 more fields (all
None) when testing parse_event(), so update all affected testcases.
(test-network doesn't need a change for probably obvious reasons.)
Also rename a misnamed test in test-change_profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
The latest glibc (including nscd) in openSUSE Tumbleweed comes with
glibc-2.3.3-nscd-db-path.diff: Move persistent nscd databases to
/var/lib/nscd
This needs updates (adding /var/lib/nscd/) to abstractions/nameservice
and the nscd profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
nmbd, winbindd (and most probably also smbd - but it has a more
permissive profile that already allows this) need rw access to
/var/cache/samba/lck/* on Debian 8.6.
Reported by FLD on IRC.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
The apparmor.d description about alias rules was broken in multiple
ways. The manpage
- didn't include the alias keyword
- listed alias rules in the "COMMA RULES" section - while that's correct
for the comma requirement, it's also wrong because COMMA RULES is
meant to be inside a profile
- didn't list alias rules in the PREAMBLE section
This patch fixes this.
It also moves the definition of VARIABLE, VARIABLE ASSIGNMENT (both
unchanged) and ALIAS RULE next to PREAMBLE.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10
A while ago, support for "network unspec" was added. However, nobody
updated the ntpd profile (at least not the profile in upstream bzr)
which was the main reason for adding "unspec".
References: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1546455
(the original bugreport about "unspec")
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1009964
(about the ntpd profile)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
Fix import errors with swig > 3.0.8 with the libapparmor python
bindings. Do this by removing the code to rename the generated
LibAppArmor.py, and instead use a stub __init__.py that automatically
imports everything from LibAppArmor.py. Also adjust bzrignore to
compensate for the autogenerated file name changing.
Bug: https://bugzilla.opensuse.org/show_bug.cgi?id=987607
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Newer kernels need m permissions for the binary the profile covers,
so add it before someone hits this problem in the wild ;-)
Also add a note that the mlmmj-recieve profile is probably superfluous
because upstream renamed the misspelled binary.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
This patch updates the mlmmj profiles in the extras directory to the
profiles that are used on lists.opensuse.org now. Besides adding lots
of trailing slashes for directories, several permissions were added.
Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
mlmmj-recieve to fix a typo.
These profiles were provided by Per Jessen.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Some conditions in RlimitRule can never be hit under normal
circumstances, so this patch adds some "pragma: no cover" and
"pragma: no branch" comments to beautify the coverage report.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The log line (with a different profile=...) was sitting around on my
disk since a year, so let's do something useful with it ;-)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds profiles for all log sniplets that are expected to
result in a profile rule.
This also means some changes in test-libapparmor-test_multi.py are
needed:
- split off log_to_profile_skip from log_to_profile_known_failures to
- only skip tests in log_to_profile_skip (causing a crash or requiring
user interaction)
- run tests in log_to_profile_known_failures, but expect a non-equal
result (caused by not added rules etc.)
- add quite some tests to log_to_profile_known_failures - they were
skipped before because they didn't have a *.profile file.
- add handling for hats to shorten list of known failures
This fixes testcase24 and testcase33 (after adjusting the profiles)
and lots of the new *.profile files.
- since we now have *.profile files for all log events that should result
in a profile rule, no longer ignore FileNotFoundError
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Besides dnsmasq.leases, dnsmasq.pid needs to be written. Also read
access for some files is needed (currently dnsmasq.raw and
dnsmasq.hosts - using dnsmasq.* makes this more future-proof when
more files get added)
References: https://bugs.launchpad.net/apparmor/+bug/1634199 (again)
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1403468
This patch adds TestLogToProfile to test-libapparmor-test_multi.py which
"translates" the test_multi log sniplets to a profile, and checks if it
matches the expected profile.
The expected profile for one log event will obviously contain only one
rule, and gets added as *.profile to the test_multi directory.
This patch includes 33 test_multi profiles - which means 83 more need to
be created. Whenever you have some time, add one or two! (Please write
those test_multi profiles manually, without using the tools.)
I know some parts of the test code looks complicated. Unfortunately this
is how things work - compare it with do_logprof_pass() in aa.py...
While on it, set tests = 'invalid' which ensures a failure in case
parse_test_profiles() doesn't set the tests array, and move printing
the test name out of parse_test_profiles() to avoid printing it twice.
A nice side effect of this patch is increased test coverage:
- 30% -> 40% in aa.py (= 250 more lines)
- 52% -> 78% in aamode.py (= 23 more lines)
- 26% -> 68% in logparser.py (= 120 more lines)
- total coverage increases from 57% to 62%
Acked-by: Seth Arnold <seth.arnold@canonical.com>
I already did this in the python code a month ago, and now realized that
we should also update the apparmor.d manpage ;-)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
seen_events is a global variable in aa.py that gets increased at several
places, but isn't used (read or printed) anywhere. Since I can't imagine
how it could become useful, simply drop it.
Also drop an outdated comment in handle_children that lived next to a
seen_events line.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
These files are needed for disk-based buffering (added in syslog-ng 3.8).
This was reported to me by Peter Czanik, one of the syslog-ng developers.
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
I prefer not to do it - adding it later is easy, but finding out if it
could be removed is hard ;-)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
This little change means that the tests will run as part of 'make check'.
This commit is only a 'bzr mv utils/test/config_test.py utils/test/test-config.py'
without any changes in the file content.
Acked-by: Steve Beattie <steve@nxnw.org>
aa_test.py doesn't run in 'make check' because its filename doesn't
match the 'test-*.py' pattern, so this move means the tests now actually
get run.
While on it, migrate test-aamode.py to use the AATest base class, and
migrate the str_to_mode() tests to a tests[] array.
After this move, aa_test.py doesn't do anything anymore, so delete it.
Acked-by: Steve Beattie <steve@nxnw.org>.
Also add another test proposed by Steve:
(None, set()),
aa_test.py doesn't run in 'make check' because its filename doesn't
match the 'test-*.py' pattern.
mode_to_str() was dropped as part of the FileRule series, so it's
pointless to keep its tests. (The replacement is totally different and
has full test coverage already.)
loadincludes() still exists, but only testing if the function runs
without errors is not really helpful, so drop this test.
Also drop unused imports and add an explicit import for apparmor.aamode.
Acked-by: Steve Beattie <steve@nxnw.org>
aa_test.py doesn't run in 'make check' because its filename doesn't
match the 'test-*.py' pattern.
Move tests for globbing ("plain" globbing and globbing with ext) to
test-aare.py to make sure those tests actually run.
Note: This isn't an exact move - I adjusted some of the tests to make
them more useful, and added some more tests.
Also, glob_path() and glob_path_withext() no longer exist in aa.py.
They moved to the AARE class as part of the FileRule patch series.
Acked-by: Steve Beattie <steve@nxnw.org>
Add a testcase with exec-only permissions (which get ignored by
get_perms_for_path()) to increase FileRule test coverage to 100%.
Acked-by: Steve Beattie <steve@nxnw.org>
- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
/usr/share/dovecot/**
These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)
References: https://bugs.debian.org/835826
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Also allow reading ~/.dovecot.svbin (that's the default filename in the
dovecot config) in dovecot/lmtp profile.
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
that's already covered by the existing rules.)
References: https://bugs.debian.org/835826 (again)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
exec_stack picked up a fix to address a semantic change introduced in
4.8 kernels.
However older kernels don't need the extra permission and the exec_stack
test is the only test we currently have that caught the semantic change.
Keep exec_stack to the minimum set of permissions needed for a given
kernel. Which allows us to use exec_stack as a test to detect the
semantic change showing up in unexpected place until we have a test
specifically designed for this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The latest version of pyflakes (1.3.0 / python 3.5) complains that
CMD_CONTINUE is defined twice in ui.py (with different texts).
Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
As discussed a while ago, switch the utils (including their tests) to
use python3 by default. While on it, drop usage of "env" to always get
the system python3 instead of a random one that happens to live
somewhere in $PATH.
In practise, this patch doesn't change much - AFAIK openSUSE, Debian and
Ubuntu already patch aa-* to use python3.
Also add a note to README to officially deprecate Python 2.x.
(I won't break Python 2.x support intentionally - unless some future
change gives me a very good reason to finally drop Python 2.x support.)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(since 2016-08-23, but the commit had to wait for the FileRule series
because it touches test-file.py)
After looking at matchliteral(), I found out that it's only user is
rematchfrag(), which is only called in a) an "if False:" block and
b) match_include_to_path() - and that is only called by the also unused
match_prof_incs_to_path() function.
This patch drops some dead code (like the mentioned "if False:" block)
and the now unused functions
- matchliteral()
- rematchfrag()
- match_include_to_path()
- match_prof_incs_to_path()
This patch is also THE ANSWER to the question when I'll finally consider
this patch series complete.
42. It can't become better than that! ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
