When using passdb/userdb not requiring root (!= /etc/shadow access)
it is recommended to run the auth processes as non root and chroot'ed
Signed-off-by: Simon Deziel <simon@sdeziel.info>
Debian and Ubuntu have releases coming out with usr-merge in place. For these systems, /bin and /sbin are symlinks to their respective /usr directories. This breaks a few tests in the python utils and in the regression tests. This patch series fixes them, mostly by performing realpath() calls when necessary. For the ptrace regression test, it copies the called /bin/true binary into the created temporary directory and executes it from there. (Good for other reasons, too.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
These patches should be safe to backport to the supported releases (but I have not attempted that, yet).
See merge request apparmor/apparmor!331
In a usr-merge ubuntu/debian environment /bin is a symlink to
/usr/bin, which causes invalid apparmor policy to be generated for
/bin/true. Instead, copy /bin/true to the per test temporary directory
and execute it from there.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
When run locally on a development machine or in production, the full test
is likely to run. However inside a CI system container 'last' might fail
to show last login or there might not be access to kern.log and the test
will automatically skip those without failing the whole test suite.
This will help ensure the future rewrite of aa-notify from Perl to Python
is less likely to introduce regressions. Tests run the command line utility
via a subprocess so it does not matter that the tests are in Python but
the aa-notify utility is in Perl (for now).
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
Extend common DebugLogger with option to log to stderr
See merge request apparmor/apparmor!325
Acked-by: Eric Chiang <ericchiang@google.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This makes it possible for e.g. command line tools to have the --debug
option and when invoked print the existing debug messages directly to
stderr so the user running the command can see them.
kde: fix global settings access for Kubuntu and openSUSE
See merge request apparmor/apparmor!322
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
Rewrite aa-decode to use inline Python as Perl is to be deprecated
See merge request apparmor/apparmor!321
Acked-by: Eric Chiang <ericchiang@google.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Defining 'stderr = subprocess.STDOUT' as a default value for function
did not work and the 'stderr' was always empty, thus also 'outerr' was
always empty and not standard error contents was ever considered in any
way.
Best in fact was to remove excess function arguments as they were not even
used and replace it with a simpler and less error prone structure.
Even after reading 'stderr' correctly it did not help much as all tests
used 'assertIn' which ignored excess output. Better replace the normal
output with the error output if there ever was something, since stderr
is most likely a serious thing and tests should stop on it.
- Add documentation stub for what the UI module is and how JSON works
- Make indentation consistent
- Use pythonic 'if' clauses
- Add two spaces after function definitions (Python style)
Exceptions are
- ubuntu-browsers (because we already have ubuntu-browsers.d with
different usage)
- ubuntu-helpers (which includes the sanitized_helper subprofile, so
adding something in the global area wouldn't make much sense)
Also adjust abstractions/postfix-common to use the style all
abstractions use.
Commit b5be596460 added ability to read
/usr/share/drirc.d/ directory to mesa abstraction.
This seems to be a mistake, as it was noted that not all GUI
applications, that need access to drirc.d, also need whole mesa-related
rules (including writing caches).
Move /usr/share/drirc.d/ access to different abstraction. This is not a
breaking change, because any GUI application will have included X
abstraction already, and in the end result - dri-common abstraction too.
Fix typo introduced when resolving a merge conflict for d9ab83281b
("Add support for local additions to abstractions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Local policy may want to extend or override abstractions, so add support for including local updates to them.
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: intrigeri <intrigeri@boum.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only
has a symlink to it in /etc
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
Also drop the now unused function get_profile_filename()
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
PR: https://gitlab.com/apparmor/apparmor/merge_requests/296
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the mysqld to what I use on my servers nowadays.
Note: my profile also has capability sys_resource,, but I'm not sure why I had to add this and therefore didn't include it in this merge request.
Speaking about "why I had added $whatever" - these changes were collected over the last years and of course ;-) I don't remember any details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/310
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
dnsmasq: allow peer=libvirtd to support named profile
See merge request apparmor/apparmor!304
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
The /usr/sbin/libvirtd profile will get a profile name ("libvirtd").
This patch adjusts the dnsmasq profile to support the named profile in
addition to the "old" path-based profile name.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3
