It turns out that audit and selinux were modified to slightly change the
behavior of getprocattr.
The changes are:
1. when the audit subsystem calls security_getprocattr it only allows
for a return code of EINVAL
2. when the audit subsystem calls security_getprocattr with the size
paramter set to 0. It expects the returned size to be the size
that would be put in the buffer.
This behavior is undocumented in LSM but the changes showed up in
audit and selinux.
This patch fixes AA so that when 0 is passed it will return the size
that would have been read. This in turn fixes the problem where the
audit system spits out a ton of
error in audit_log_task_context messages
the AA getprocattr handling can still return error messages that are
not EINVAL but these should not happen in the audit log context unless
audit makes an error.
The possible places are:
- audit passes a buffer that is to small - this shouldn't happen since
audit uses the return value from a prob with parameter size == 0
- audit task context is trying to read a /proc/<pid>/attr/current that is
the current tasks context.
This shouldn't happen since the task context is for the current task.
- memory allocation fails
This one will generate the message but the audit code its self will
generate the message if its allocation fails.
of EACCESS when an unconfined process calls changehat. This enables
applications using the changehat api to detect that the application
is not confined so probing for a matching hat can be aborted.
of EACCESS when an unconfined process calls changehat. This enables
applications using the changehat api to detect that the application
is not confined so probing for a matching hat can be aborted.
Also add some history to the changelog in the specfile, clean up some
whitespace issues, eliminate no longer needed bogus LC_MESSAGES dir to
work around SUSE autobuild, seems to have been addressed.
by naming the directory (e.g. #include </etc/apparmor.d/abstractions>).
It will skip over dotfiles and as well as subdirectories. It is intended
to make scripting and packaging easier, as the including profile will
not need to know explicitly all of the names to include.
Long term, rather than hardcode that dotfiles will be skipped, it should
be configurable via /etc/apparmor.d/subdomain what patterns of files
should be skipped; genprof/logprof should also honor this setting. The
code could be reused as I'd like to make the parser just take a directory
on the command line rather than being fed profiles one at a time; again
it would skip files based on these same patterns.
This patch also eliminates some dead code in the include processing, as
well as replaces a couple of undersized fixed-size buffer (PATH_MAX is
4095 on linux, buffer is not overflowable due to use of strncpy/snprintf)
with dynamically allocated ones.
directories). It also disables the longpath test (after locking up
another machine from running it), but adds a 'make alltests' target
which will run all the tests plus that one (and any others defined in
the RISKY_TESTS variable.)
pam_apparmor and here's a patch to address most of them--
* header comment was incorrect
* use pam_get_user() instead of pam_get_item()
* return an error if we're unable to change to the DEFAULT hat
In addition, this has a fix to make sure that the magic token we read
from /dev/urandom is not null (which would cause the hat probing to fail
if we need to fall back to the DEFAULT hat).
if necessary. Currently used to suppress warnings about unsafe/unfiltered
environment 'u' exec transitions.
[Corresponds to rev 6415 in the old svn repo]
This commit adds a test that checks to see if exec unconfined -->
confined requires any access to the binary being run confined. Current
behavior is that it does not.
the old svn tree.]
This patch adds tests to verify the environment filtering done in the Px
and Ux cases. It tests the environment from both an elf executable and
from a shell script. Also verifies that with the apparmor module loaded,
environment filtering on setuid apps still happens.
Relicense file to GPL (don't know why it wasn't caught originally). Made
it look in the right location, but doesn't appear to function -- I don't
know if that's due to language changes or if it ever worked. Seth Arnold
will need to comment.
