requested and fails to be created. Also don't make the
warning output conditional on the showcache flag as we
should be showing warning/errors by default.
Signed-off-by: John Johansen <john.johansen@canonical.com>
- set HOME (and DISPLAY) only once on startup to avoid NSS lookups
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <opensuse@cboltz.de>
happily continued to install the initscript for aa-eventd.
This was reported by Jiri Srain as part of
https://bugzilla.novell.com/show_bug.cgi?id=720617
This commit removes the lines that install the aaeventd initscript
from parser/Makefile.
Acked-by: John Johansen <john.johansen@canonical.com>
openSUSE, which results in non-working desktop notifications in aa-notify
because $notify_exe is unable to connect to DBUS to display the message.
This patch sets the correct value for $HOME.
The code for setting $DISPLAY is still under discussion, therefore only
a TODO note is included in this commit for $DISPLAY.
Acked-By: John Johansen <john.johansen@canonical.com>
rc.apparmor.suse), I noticed that "rcapparmor restart" is
totally silent.
The attached patch prints a message in __apparmor_restart().
It also replaces the hardcoded "return 0" with $?. I'm quite sure this
won't catch all errors, but it's still better than the hardcoded success
message.
Acked-by: John Johansen <john.johansen@canonical.com>
- fix permissions for additional-log-sockets.conf (the comma in {var/,}
was at the wrong place, which broke the /var/run/ case)
- add read permissions for /sys/devices/system/cpu/online
(that was even new for Peter, but I trust him not to post faked
audit.log lines ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
"aa_log_action_start()" (probably for 2.6), but the rc.apparmor.suse
initscript was not updated.
This patch fixes the function name in the rc.apparmor.suse initscript.
References: https://bugzilla.novell.com/show_bug.cgi?id=717707
Acked-by: John Johansen <john.johansen@canonical.com>
Fix the build so
make DEBUG=1
results in a compile with DEBUG turned on.
Also fix build errors in the compile with DEBUG is defined
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
This documentation should have been checked in as part of the patches
that added aa_is_confined and aa_get_con.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The define for pid_t is missing in apparmor.h so that if it is included
in programs that don't also include sys/types.h the compile will break.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- updated to match trunk
- added changed path to nmbd profile (/var/cache/samba has moved to
/var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
For backward compability, it also allows /var/spool/samba.
- Note: The smbd profile already contains both locations.
by Christian Boltz <apparmor@cboltz.de>
updated according to the comments from Steve Beattie
by Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and
SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).
Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor@cboltz.de>
Change compared to the patch posted to the ML:
- link rule instead of adding l permissions for /var/lib/dovecot and
/var/run/dovecot (as proposed by John Johansen)
Acked-By: John Johansen <john.johansen@canonical.com> on IRC
by converting the comm(1) usage on temporary files to an embedded
awk script. On both Ubuntu and OpenSUSE, a version of awk (mawk in
Ubuntu, gawk in OpenSUSE) is either a direct or indirect dependency
on the minimal or base package set, and the original reporter also
mentioned that an awk-based solution would be palatable in a way that
converting to bash, or using perl or python here would not be.
In the embedded awk script, I've tried to avoid gawk or mawk specific
behaviors or extensions; e.g. this is the reason for the call to sort
on the output of the awk script, rather than using gawk's asort(). But
please let me know if you see anything that shouldn't be portable
across awk implementations.
An additional issue that is fixed in both scripts is handling child
profiles (e.g. hats) during reload. If child profiles are filtered
out (via grep -v '//') of the list to consider, then on reloading
a profile where a child profile has been removed or renamed, that
child profile will continue to stick around. However, if the profile
containing child profiles is removed entirely, if the initscript
attempts to unload the child profiles after the parent is removed,
this will fail because they were unloaded when the parent was unloaded.
Thus I removed any filtering of child profiles out, but do a post-awk
reverse sort which guarantees that any child profiles will be removed
before their parent is. I also added the LC_COLLATE=C (based on the
Ubuntu version) to the sort call to ensure a consistent sort order.
To restate, the problem with the existing code is that it creates
temporary files in $TMPDIR (by default /tmp) and if that partition
is full, problems with the reload action ensue. Alternate solutions
include switching the initscript to use bash and its <$() extension
or setting TMPDIR to /dev/shm/. The former is unpalatable to some
(particularly for an initscript), and for the latter, /dev/shm is
only guaranteed to exist on GNU libc based systems (glibc apparently
expects /dev/shm to exist for its POSIX shared memory implementation;
see shm_overview(7)). So to me, awk (sans GNU extensions) looks to
be the least bad option here.
Bug: https://launchpad.net/bugs/775785
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.
Original changelog entry from unscd package:
Mon Sep 7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
for change to the nobody user [bnc#535467]
Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Resolved merge conflict and removal operation already supported by
the log parser.
Acked-by: John Johansen <john.johansen@canonical.com>
changing. Since we arguably shouldn't be hardcoding this kind of
thing, this changes a path around to use the C preprocessor to do the
work of finding the kernel definitions.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
instead.
Needed at least on upgraded Ubuntu machines that went from messages to
syslog recently. If this causes problems, we can easily revert it.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
syslog, otherwise audit events will get dropped.
This runs the risk of having the kernel log wrap around, but that
is a less common case that what this solves. This is a work-around
that will go away when complain info takes a different path in the
future.
I intentionally don't allow pUx and Pux since the behaviour of those is
very unexpected (the first letter decides if the environment is cleaned
up or not - at least that's the result of the discussion in April) and
the average user won't know this.
Acked-by: John Johansen <john.johansen@canonical.com>
profiles.
It also adds a comment to the klogd profile that capability sys_admin is
only needed for backward compatibility with older kernels.
Acked-by: John Johansen <john.johansen@canonical.com>
the modifiers as lowercase (meaning to pass on sensitive environment
variables to the exec'ed process) even if the user told them not to
when prompted. This patch fixes the issue.
aa-notify would abort if it could not stat the logfile, as can happen
when using auditd and the directory perms for the logfile do not allow access
(x). Add raise_privileges() and drop_privileges() helper functions and adjust
get_logfile_size() and get_logfile_inode() to raise then drop privileges if the
logfile parent directory is not executable. Also adjust reopen_logfile() to use
these helpers.
When error checking in these helpers, use '$> == ...' instead of '$> = ... or
die...' since perl always dies when raising privs in this manner even though
the euid did change (and $!, $@, $^E, and $? are all the same). Not sure why
this is happening but the '==' check should be sufficient.
aa-notify would abort if it could not stat the logfile, as can happen
when using auditd and the directory perms for the logfile do not allow access
(x). Add raise_privileges() and drop_privileges() helper functions and adjust
get_logfile_size() and get_logfile_inode() to raise then drop privileges if the
logfile parent directory is not executable. Also adjust reopen_logfile() to use
these helpers.
When error checking, use '$> == ...' instead of '$> = ... or die...' since perl
always dies when raising privs in this manner even though the euid did change
(and $!, $@, $^E, and $? are all the same). Not sure why this is happening but
the '==' check should be sufficient.
- drop supplemental group privileges too. While POSIX::setgid() works nice in
that it will set both the real uid and euid, it doesn't do anything with the
supplemental groups (sigh). Instead, assign to $( and $) in a manner that
clears the supplemental groups.
