In order to decrease the number of characters in the audit logs
from the kernel, we will drop the "_mask" from the fields
"requested_mask" and "denied_mask".
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
the only supported mode for the moment is `create`, so the following rules have the same effect
```
userns,
userns create,
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/927
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
GUI applications such as KDE dragon player, qTox, LibreOffice tries to
access .config/kwinrc, .config/kdedefaults/kwinrc and
.config/kdedefaults/kdeglobals.
Update abstractions/kde to fix denials for applications running under
KDE.
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This adds a single e2e test to check that raw_data of a loaded
policy matches the generated policy (cached).
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
As discussed in !920, this MR renames BaseRule's `parse()` and `_parse()` methods to `create_instance()` and `_create_instance()`, respectively. It then removes the `selection_to_rule_obj` function from `apparmor.aa`, which is now an unnecessary alias for the renamed public method.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/923
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This MR addresses #269.
Notes:
- In all `is_equal_localvars()` Rule methods, `type(self)` is now used instead of the explicit class. This approach works better with inheritance, and was already used in `IncludeRule` for this reason.
- Remaining direct type comparisons were changed to use `is`/`is not` instead of `==`/`!=`.
- I fixed two typos in `alias.py`; the plural of alias is aliases, not aliass.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/920
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.
Reproducer (crashes without this patch):
aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')
I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.
Reproducer (crashes without this patch):
aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')
Addresses #270. The `mk_features_file.py` changes are just for clarity, as shadowing built-ins confuses readers.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/918
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
As discussed in #241 and !906, there are some overly broad `except` statements that should be fixed. This MR does so. Some notes:
- `profile_dir` in `aa.py` may be `None`, hence the `TypeError` catches. The other globals are not caught in the code, however. E.g. there are possibilities of TypeErrors due to `extra_profile_dir` being `None`.
- I added a TODO in `common.py` that I'd like some eyes on. I do not think that `os.path.normpath` can raise an exception (the [Python docs](https://docs.python.org/3/library/os.path.html?#os.path.normpath) don't mention exceptions, and none are raised in the [CPython source code](https://github.com/python/cpython/blob/main/Lib/posixpath.py#L345)). [After discussing this in the MR, the `os.path.normpath` check was removed.]
- The `except Exception: raise` occurrences throughout `test-aa-easyprof.py` do nothing, so I removed them.
- In `valgrind_simple.py`, I fixed a possible `NameError` in the `finally` clause.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/912
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The upstream php-fpm.conf file carries the following pid file example
path:
[global]
; Pid file
; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
; Default Value: none
;pid = run/php-fpm.pid
Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>
Closes#267
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The upstream php-fpm.conf file carries the following pid file example
path:
[global]
; Pid file
; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
; Default Value: none
;pid = run/php-fpm.pid
Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:
libapparmor.so.4.9.0
This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:
libapparmor.so.1.12.0
and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.
In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.
Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/913
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 075c69a4eb)
f9dbaa38 [3.1] libapparmor: fix mistaken SO version bump
by adding a warning flag that is disabled by default. This will enable
devs to find when and where #include is in use by adding the compile
flag
--warn=pound-include
and can even abort policy compiles by using
--warn=pound-include --Werror=pound-include
The resulting messages look like
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 5): deprecated use of '#include'
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
This change tries to give us some room to deal with versioning issues
like we had in
145136f6 Fix 2.13 libapparmor so version
which revered the library version bump in
5c47e448 libapparmor: Bump revision in preparation for release.
which was done because of the symbol added by
351014c3 libapparmor: add _aa_asprintf to private symbols
unfortunately this collided with the 3.0 library symbol versioning
which had a different set of symbols with the same version numbering.
Leaving us no way to increase the version number to when fixing an
exported symbol version in a released library.
Ideally this would have been fixed with library version synchs but
in this case that option wasn't open as we were dealing with two
released versions of the library.
Bumping the current version by 5 on the larger releases gives us room
to deal with these kind of bugs in the future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161
I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This MR addresses much of #241. Each commit handles a different aspect of the style guide. All commits are style-only. Lacking from this MR are changes that would alter behavior and/or break backward-compatibility.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/906
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
