testcases) to
- sleep 10 seconds after each failed test to make failures more annoying
^W^W^W^Wgive people a chance to read failure details
- print a list of failed tests at the end
Also avoid duplicate code by letting runtests-py2.sh call runtests-py3.sh.
Acked-by: Steve Beattie <steve@nxnw.org>
LOG_MODE_RE is also defined (and used) in aamode.py.
This patch removes the superfluous definition from logparser.py.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch fixes some memory leaks in the libapparmor log parsing
functions, specifically around handling records obtained from syslog
and records containing network addresses.
Bug: https://bugs.launchpad.net/bugs/1340927
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch is cosmetic; it cleans up a lot of whitespace issues:
removing trailing spaces, converting tabs into spaces, and removing
unneeded spaces around function arguments.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch is a cosmetic set of changes to remove references to immunix
from the source code (except in the case of handling deprecated
keywords), as well as correcting my email address.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds an additional hat to try in the mod_apparmor processing
sequence, constructed from the host's ServerName + '-' + URI
(e.g. 'www.example.com-/some/uri'). This hat is attempted before the raw
URI hat is attempted, leaving the ordering as follows:
(1) to a hatname in a location/directory directive
(2) to the server name or a defined per-server default
(3) to the server name + "-" + uri
(4) to the uri
(5) to DEFAULT_URI
(6) back to the parent profile
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.
However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.
This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.
Patch history:
v1: initial revision
v2: no code changes; adjust comments and improve the man page
documentation
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris@computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)
Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
+ capability setgid, # covered by abstractions/dovecot-common, therefore not part of this patch
+ capability setuid,
+ network inet stream,
+ network inet6 stream,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
apparmor="DENIED" operation="open" parent=18310 \
profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1322778
When configured with "clustering = yes", Samba needs to be able to
connect to the local ctdbd daemon socket, and directly manipulate .tdb
database files managed by ctdb.
Signed-off-by: David Disseldorp <ddiss@suse.de>
This commit adds a dovecot-common abstraction, as well as adjusting
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Move postfix-common from program-chunks/ to abstractions/; remove
program-chunks directory since postfix-common was the last resident of
that directory (and had been since 2007), and adjust the includes of all
the profiles that include postfix-common.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- Allow reciprocal ptrace readby to everyone (requires peer unconfined or to
ptrace read to us)
- same for ptrace tracedby
- allow us to ptrace read ourselves
- receive all signals from unconfined
- allow us to signal ourselves
- allow sending and receiving "exists" (for pid existence)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch improves the error messages in aa.py store_list_var() to make
debugging of profile syntax problems easier. It also adds an additional
parameter for the profile filename (used in the error message)
Acked-by: Steve Beattie <steve@nxnw.org>
Earlier fixes to the parser's handling of escape sequences involving '\'
caused a behavioral change that profiles no longer needed to contain
'\\' before an octal escape sequence. However, the regression tests were
never modified to take this change into account, and thus the i18n.sh
octal tests would fail. This patch fixes that.
Also, with the changes, the parser no longer accepts _\_ as a valid
sequence, so we skip this character.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com> (on IRC)
The change to processing escape sequences in trunk commit r2537 requires
a corresponding change to the unit tests in parser_misc.c.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
escape sequences that result in special character that will be interpreted
by later processing need to be passed through as well.
Eg. previously \\ was fixed to be passed through, but other chars
get interpretted as well.
*?[]{}
and ^, in character classes
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Also for characters that are not recognized as a valid escape seq
make sure that the character is emitted.
previously
\$ resulted in \
where it should have been \$ if $ wasn't recognized
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
r2456 unified escape sequence processing but it results in the \\
sequence being processed multiple times (lexer, regex conversion,
backend pcre parsing).
What used to happen was the lexer would only convert octal sequences
and a few special escapes, \\ would be passed through the lexer and
the regex conversion, thus only being handled in the pcre backend.
r2456 changed that so that \\ is handled by the lexer, converting it
to \, which is handled as an escape sequence in both the regex
conversion and the pcre backend.
This means
\\001 instead of being treated as the literal \001 is treated
as an octal escape sequence which is rejected by the regex conversion
(it only allows for certain special chars).
etc.
Fix this by ensuring the lexer does not processes \\ and passes it
through so it is only handled in the backend as was done in the past.
Also fix front end escape sequence processing of octals etc from resulting
in a later escape sequence. That is \134, \d92, .. would get converted
to \ in the lexer and then treated as an escape sequence in the regex
conversion or pcre processing.
We fix this by converting them to the equivalent \\ sequence in the
lexer and letting the backend processes it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch fixes a crash in aa-complain when a profile name is quoted.
It also makes sure aa-complain actually adds the complain flag in such
cases. (aa-enforce etc. will also benefit from this fix.)
Note: superfluous quotes will be removed when saving the profile (for
example with aa-cleanprof), but they are kept if needed, like in
profile "/bin/foo bar"
(tested with aa-complain and aa-cleanprof - and also with "rcapparmor
reload", where the initscript bailed out because my profile filename
contained a space...)
The patch also adds some TODO notes.
References: https://bugs.launchpad.net/apparmor/+bug/1296218
Acked-by: Steve Beattie <steve@nxnw.org>.
For some strange reason our caching use ctime instead of mtime.
However this can lead to odd cases of the cache missing even though
neither the profile data nor cache data have changed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update the apache2 profile so that the parent apache process can kill
worker processes inside of hats. Update the example comments and the
DEFAULT_URI and HANDLING_UNTRUSTED_INPUT hats to include the
apache2-common abstraction to allow them to receive signals from the
parent process.
Author: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1322764
Update the apache2-common abstraction so that the parent apache process
can kill worker processes inside of hats, as well as handle the updated
mod_apparmor behavior that invokes aa_change_hatv() and then checks
which hat it ended up in via aa_getconn() (which reads from
{PROC}/@{pid}/attr/current).
Author: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1322764
The child process changes into a hat while the parent process stays in
the main profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Add two tests that verify AppArmor denials when one end of the pipe has
bad access permissions to the pipe.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The named_pipe parent process kills the child process at exit. A
"signal," rule must be added to all confinement profiles when the test
is running under a kernel that performs signal mediation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Allow for the parent and child processes to change into separate hats to
verify named pipe communications between hats with varying permissions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Add debugging info to test binaries and disable optimizations.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
When creating a child profile while using genprof, I get a backtrace:
Traceback (most recent call last):
File "aa-genprof", line 160, in <module>
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2291, in do_logprof_pass
save_profiles()
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2309, in save_profiles
for prof_name in changed.keys():
RuntimeError: dictionary changed size during iteration
(See https://bugs.launchpad.net/apparmor/+bug/1014304 for more details.)
After digging into the code, it seems for some reason the child profile
is added to "changed" - I doubt this is correct (guess why it's removed
later... ;-)
After digging a bit more, I found out that create_new_profile() is
(ab)used to create a new stub profile to be used as child profile.
create_new_profile then adds the new child (which looks like a normal
profile to it) to "changed".
This patch most probably makes the cleanup round in save_profile()
superfluous by adding a is_stub parameter to create_new_profile(). If
this parameter is set, the new (child) profile is not added to "created"
and "changed".
I intentionally added the two print() lines in safe_profile because
a) I think they will never be displayed
b) I want to know if a) is wrong ;-)
c) it's always nice to have a "nice" error message before displaying
a backtrace ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
(unlimited) because the "if not value:" check matches 0.
This patch replaces the check with "... is None".
It also prints a warning if the old value is None (could in theory
happen if reading the old value failed).
Acked-by: Steve Beattie <steve@nxnw.org>. Thanks.
preprocessor and is not as thorough as -QTK (--skip-kernel-load,
--skip-read-cache, --skip-cache). Like with '-p', '-QTK' can be run without
privilege but it will catch things like conflictings 'x' modifiers.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Commit r2456 fixes a bug in the parsers compilation that can result
policy failures. Unfortunately this Bug slipped into the wild and
shipped in at least one distro.
Bump the parser abi so that parsers that have the fix will invalid
existing cache files, and recompile policy to ensure the fix is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/bugs/1325109
The parser will accept rules with either umount or unmount rule types.
The utils should follow suite.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Bug: https://bugs.launchpad.net/bugs/1235478
This is a test to check the label on file descriptors returned from
socketpair().
In its simple form, it simply calls socketpair() and checks the
labels on both fds.
In its complex form, it has the ability to do the simple test, then set
up an exec transition using aa_change_onexec(), and re-exec itself to
check the labeling after the file descriptors have been passed across an
exec transition.
The complex form is meant to test revalidation at exec. AppArmor
currently keeps the original labeling in place across the exec
transition.
Note that this test does not currently test read/write access to the
file descriptors. It only checks the label, as returned by
aa_getpeercon(2).
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Allow for the regression tests to specify arbitrary profile names
without hitting fatal errors or getting warnings from mkprofile.pl.
This allows for a test to have a line like this:
genprofile change_profile->':arbitrary_name -- \
image=arbitrary_name addimage:$test
In the example above, $test can call aa_change_onexec("arbitrary_name")
and then re-exec itself to test behavior across exec transitions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
