The new af_unix apparmor kernel patches include the first step towards
implicit labeling. As a result, when a file descriptor is inherited
across one profile boundary to another, both labels' policies are
checked for valid access to the file descriptor. However, due to a quirk
in the linux kernel, when a socket is opened, the file descriptor is
marked as having read and write (aka send and receive) access. When the
crosscheck revalidation occurs, this means that the policy being
inherited from requires read/write access to the socket descriptor, even
if the process never reads or writes to it. This resulted in a few
failures in the socketpair tests.
The following patch adjusts the failing tests to include the neccessary
send and receive permissions, as well as adding additional tests that
are expected to fail when they are not present, to try to ensure that
if our crosscheck behavior changes, we catch it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Based on a patch from Felix Geyer who wrote in April:
> On Ubuntu trusty the php package creates config symlinks in
> /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and
> /etc/php5/fpm/conf.d/ to /etc/php5/mods-available/.
This patch is a simplified version of his patch that allows
/etc/php5/**.ini r and /etc/php5/**/ r
Acked-by: Seth Arnold <seth.arnold@canonical.com> on IRC
(after menacing an Acked-by: <timeout>)
both real [0] and hypothetical (e.g. gui prototypes), as part of
the python utils merge, some namespace packaging bits were added
to apparmor/__init__.py, based on the (not very clear) advice given
in python's pep 0420 [1]. However, a side effect of this is that it
causes system installed versions of python modules to be used over
paths specified via PYTHONPATH [2], which breaks our in-tree tests
when the system versions of the python modules are out of date with
respect to the in-tree version.
It seems based on testing, however, that carrying this code snippet
is no longer necessary to have external modules be found. Thus,
the following patch drops it.
[0] e.g. https://launchpad.net/click-apparmor
[1] http://www.python.org/dev/peps/pep-0420/
[2] a python upstream discussion about this occurred at
https://mail.python.org/pipermail/distutils-sig/2014-March/024049.html
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds a 'check_pod_files' make target to the common make
rules, and then fixes the errors it highlighted as well as most of
the warnings. It will cause 'make check' in most of the directories to
fail if there are errors in a pod file (but not if there are warnings).
Common issues were:
- using an '=over/=back' pair for code-like snippets that did not
contain any =items therein; the =over keyword is intended for
indenting lists of =item entries, and generates a warning if
there isn't any.
- not escaping '<' or '>'
- blank lines that contained spaces or tabs
The second -warnings flag passed to podchecker is to add additional
warnings, un-escaped '<' and '>' being of them.
I did not fix all of the warnings in apparmor.d.pod, as I have not come
up with a good warning-free way to express the BNF of the language
similar in format to what is currently generated. The existing
libapparmor warnings (complaints about duplicate =item definition
names) are actually a result of passing the second -warnings flag.
The integration into libapparmor is suboptimal due to automake's
expectation that there will be a test driver program(s) for make check
targets; that's why I added the podchecker call to the manpage
generation point.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
---
changehat/mod_apparmor/Makefile | 3
changehat/mod_apparmor/mod_apparmor.pod | 28 ++-
common/Make.rules | 4
libraries/libapparmor/doc/Makefile.am | 7
parser/Makefile | 2
parser/apparmor.d.pod | 275
+++++++++++++-------------------
utils/Makefile | 3
utils/aa-cleanprof.pod | 2
utils/aa-complain.pod | 2
utils/aa-decode.pod | 2
utils/aa-easyprof.pod | 69 +++-----
utils/aa-enforce.pod | 2
utils/aa-genprof.pod | 2
utils/aa-logprof.pod | 6
utils/aa-sandbox.pod | 64 ++-----
utils/logprof.conf.pod | 2
utils/vim/Makefile | 2
17 files changed, 212 insertions(+), 263 deletions(-)
This patch:
- replaces unnamed arguments with named arguments wherever more than 1
one arguments ware present in a message
- minor fix in aa-unconfined for pname argument in 2 strings
- updated pot files (as a side-effect of testing with make)
Acked-by: Christian Boltz <apparmor@cboltz.de>
In profile.h, flagvals is declared to be class, but then in the
Profile class, the flags field declares it as a struct. This patch
makes the field declaration type consistent.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
In trunk commit 2615, make targets for af_rule.o and af_unix.o were
added. Unfortunately, the af_rule.o target's dependency on rule.h was
missing the .h suffix. This patch fixes the issue and adds some other
headers that the source file are dependent on.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Put a bare unix rule in the core gendbusprofile() function that all
dbus_*.sh use. We aren't interested in testing AF_UNIX mediation in the
dbus tests, since that's already done elsewhere, so we'll
unconditionally allow full AF_UNIX access to prevent test breakage
caused by any future changes in libdbus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
A side effect of not including utils/apparmor/*.py in the .pot file was
that some translations were lost. This patch includes backported (or
forward-ported?) translations from r2186. It's not a simple merge, I
reviewed everything I merged and changed it if necessary.
I also removed the outdated
"Language-Team: Novell Language <language@novell.com>\n"
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In the conversion from perl to python, it got overlooked to add the
python-apparmor modules to the set of things to search for translatable
strings in. This patch addresses the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
missing <sys/sysctl.h> header. This header is included by accident, a
vestige of earlier days, and wasn't removed when the sysctls were removed.
(Think Linux 2.0 or Linux 2.2 days.)
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760378
Thanks to Thorsten Glaser for the discovery and initial fix.
The Debian and Ubuntu Ruby 1.9.1 package is configured like this:
--with-vendordir='/usr/lib/ruby/vendor_ruby' --with-sitedir='/usr/local/lib/site_ruby
These paths are missing in the ruby abstraction.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
> Allow dnsmasq read access to IPv6 config
The commit did not match this part of the commit message
> slightly modified (../conf/**/mtu -> ../conf/*/mtu)
which I'm fixing now.
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
implementations provide MTU in Router Advertisement (RA)
messages. From section 4.2
MTU SHOULD be sent on links that have a variable MTU
(as specified in the document that describes how to
run IP over the particular link type). MAY be sent
on other links.
dnsmasq supports this option and should have read access
to an interface's MTU.
Patch by James Fehlig <jfehlig@suse.com>
slightly modified (../conf/**/mtu -> ../conf/*/mtu)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
getopt, setopt and shutdown. This was added based on incorrect logging in early
iterations of the abstract kernel patches which have since been fixed. These
options don't make sense with peer=(addr=none), so drop that.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Unrequested replies are message types that are typically replies, such
as error and method_return message types, but have not been requested by
the recipient.
The AppArmor mediation code in dbus-daemon allows requested reply
messages through if the original message was allowed. However,
unrequested reply messages should be checked against the system policy
to make certain that they should be allowed.
This test verifies that the dbus-daemon is properly querying system
policy when it detects that a message is an unrequested reply.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
