*Add anonymous shared memory access rule for QtSettings.conf file
itself.
* Reduce strictness of anonymous shared memory file names - numbers in
them can be smaller or bigger.
* Fix consistency - require anonymous shared memory file names to end
with digit in all rules.
parser/apparmor.systemd: fix minor issues detected by shellcheck
See merge request apparmor/apparmor!293
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
Commit 0d5ab43d59 removed support for loading
modules and introduced a caller, in apparmor_start(), that passes no argument to
is_apparmor_present(), which breaks that function when /bin/sh → /bin/dash.
Passing a module name as argument does not make sense since we dropped support
for the long obsolete "subdomain" module, so let's simplify
is_apparmor_present() and adjust its callers accordingly.
Bug-Debian: https://bugs.debian.org/917874
profiles/apparmor.d/abstractions/X: make x11 socket read-only
Write access isn't needed for connecting to x11 socket. Also clear some duplicate and redundant rules in other abstractions.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/281
Acked-by: John Johansen <john.johansen@canonical.com>
/var/lib/dhcp/dhcpd6.leases path for lease file on IPv6 has been in
dhcp repository since 2008, now visible in commit 8dea7ba7 ("Add DHCPv6
files in configure").
Signed-off-by: Petr Vorel <pvorel@suse.cz>
/var/lib/dhcp/dhclient6.leases path for lease file on IPv6 has been in
dhcp repository since 2008, now visible in commit 8dea7ba7 ("Add DHCPv6
files in configure").
Adding it via extending dhclient-*.leases pattern.
Not sure whether /var/lib/dhcp6/dhclient.leases was ever used on Linux,
but keep in for backward compatibility.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Since 04eb2fe3, __parse_profiles_dir can only return 0 or 1, so $STATUS can only
be 0 or 1, so trying to reset this variable to 0 when its value is 2 can only
cause confusion.
Split out RE_FLAGS
... instead of having it duplicated in RE_PROFILE_HAT_DEF and RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/287
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot: allow reading /proc/sys/fs/suid_dumpable
This is needed if a dovecot child process segfaults - in this case, dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.or /bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
I propose this fix for 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
Acked-by: John Johansen <john.johansen@canonical.com>
Ignore *.orig and *.rej files when loading profiles
This was "accidently" reported by Ralph on the opensuse-support
mailinglist.
I propose this for 2.10..master (I verified that 2.10 tools and libapparmor have *.orig and *.rej in the ignore list)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/282
Acked-by: John Johansen <john.johansen@canonical.com>
dnsmasq profile updates by Petr Vorel
This merge request includes two dnsmasq profiles Petr Vorel sent to the mailinglist:
dnsmasq: Add pid file used by NetworkManager
dnsmasq: Adjust pattern for log files to comply SELinux
I propose these patches for 2.11..master.
I'm not against also backporting to 2.10, but the profile in 2.10 doesn't allow to write anything in /var/log/, so either we apply/backport the changes manually, or we rely on the fact that we didn't get any bugreports for it ;-) Oh, and since I'm only forwarding these patches, I'll already add
Acked-by: Christian Boltz apparmor@cboltz.de for 2.11..master
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
... instead of having it duplicated in RE_PROFILE_HAT_DEF and
RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
In fed101920b, the coverity build process
was modified to split out the build logs into separate files, instead of
having one log file that gets overwritten repeatedly, making failures
hard to debug.
However, the coverity service gets upset if there is no file named with
the expected build log name. Therefore, instead, we'll capture the
python bits first, and then capture all the compilation bits in one
cov-build command.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/273
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
