Setns is used to associate to an existing user namespace, so the
kernel security hook for user namespace creation is not called.
The restriction for setns is that it should have the capability
sys_admin.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This MR closes#286.
Strings with only invalid escape sequences were prefixed with an `r`. Strings containing both valid and invalid escape sequences were handled on a case-by-case basis, as simply changing to a raw string breaks valid escape sequences.
Closes#286
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/951
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This MR closes#276.
In b150c40ed1, I removed the big comment at the top of `BaseRule` stating what methods have to be implemented by subclasses. This was out-of-date, had redundant method descriptions, and was no longer necessary now that `BaseRule` has an `ABCMeta` metaclass and auto-enforces the implementation of abstract methods.
`rule._logprof_header_localvars()` implementations weren't consistent, so I took the opportunity to clean them up in db99138f56. Return types differed, the presence of empty `header` lists differed, how size-two collections were returned differed, etc.
Otherwise, this MR closely follows the discussion in #276.
Closes#276
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/950
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This closes#277 by introducing the following changes:
1. `BaseRule` was made a "proper" abstract base class in that it now enforces that subclasses implement all abstract methods.
2. As a consequence of this change, `BaseRule` can no longer be directly instantiated; tests were changed accordingly.
3. These test changes led to test failures, the reason being that many rule methods hardcoded class names, breaking inheritance. I made a commit to address this.
4. Once tests were passing, code coverage regressed due to the fact that there was now effectively-unreachable code in abstract instance methods. This code, which was only raising `NotImplementedError`s, was removed. I say "effectively-unreachable" here because it could be reached by calling `super()` via a subclass.
5. There are three "bonus" commits as well; one bug fix, one typo fix, and one cleanup.
Closes#277
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/930
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.
That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.
apparmor="DENIED" operation="open" class="file" ...
name="/sys/devices/system/cpu/possible" ...
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.
Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The 3.1 release bumped its library version, and for consistency
needs to be bumped here as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This allows regression tests to generate profiles that use rule qualifiers,
such as allow, deny, and audit. Qualifiers can be specified for a rule by
prepending 'qual=', followed by a comma-separated list of rule qualifiers,
then a ':', then the rule itself.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/925
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This allows regression tests to generate profiles that use rule qualifiers,
such as allow, deny, and audit. Qualifiers can be specified for a rule by
prepending 'qual=', followed by a comma-separated list of rule qualifiers,
then a ':', then the rule itself.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
The test kernel_features only checked if the feature file exists, but
there are cases when we need to check if the feature is part of the
file's content. For example, we might want to check if a mode is present
in the feature "mask" file.
This is already supported by libapparmor's aa_features_supports.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Print out a summary of the tests that passed and failed at the end of the
regression tests. Merge the tests and alltests make targets since they
only differ in which tests are run.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/942
Approved-by: Steve Beattie <gitlab@nxnw.org>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This update to the regression test framework allows a test script to
execute a test binary as a different user by passing '-u <username>'
to the settest function.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/941
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Print out a summary of the tests that passed and failed at the end of the
regression tests. Merge the tests and alltests make targets since they
only differ in which tests are run.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
This update to the regression test framework allows a test script to
execute a test binary as a different user by passing '-u <username>'
to the settest function.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.
I propose this patch for 2.13..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This adds a single e2e test to check that raw_data of a loaded
policy matches the generated policy (cached).
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/929
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.
Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271
Also add one of the log lines from #271 as test_multi test case.
I propose this patch for 3.0..master.
Closes#271
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.
Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271
