If /proc/filesystems contains a filesystem that is not listed in
MountRule valid_fs, print a useful error message that says what exactly
is going on, instead of only saying "False is not True".
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1166
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Now that we have MountRule and MountRuleset, drop the old "just store
the whole rule" code for mount rules.
Also drop some old tests that used that "store the whole mount rule"
code, and adjust the regex_matches tests to import the regex directly
from apparmor.regex.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1165
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The `9p` filesystem is available during the build in build.opensuse.org.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1164
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
If /proc/filesystems contains a filesystem that is not listed in
MountRule valid_fs, print a useful error message that says what exactly
is going on, instead of only saying "False is not True".
Now that we have MountRule and MountRuleset, drop the old "just store
the whole rule" code for mount rules.
Also drop some old tests that used that "store the whole mount rule"
code, and adjust the regex_matches tests to import the regex directly
from apparmor.regex.
A simple rule without conditionals need to be generated for when the
kernel does not support fine grained inet network mediation.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
By not having quotes in $@, the string splits by the whitespace.
That prevents us from checking if the parser supports rules
that have spaces in them.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Options available are ip= and port= inside the peer group or outside,
representing local addresses and ports:
network peer=(ip=127.0.0.1 port=8080),
network ip=::1 port=8080 peer=(ip=::2 port=8081),
The 'ip' option supports both IPv4 and IPv6. Examples would be
ip=192.168.0.4, or ip=::578d
The 'port' option accepts a 16-bit unsigned integer. An example would
be port=1234
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Nautilus uses user namespaces to load thumbnails, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123
Although nautilus has extensions that would allow opening a terminal
from the nautilus interface, they do not inherit nautilus' AppArmor
label, therefore the use of unconfined does not allow arbitrary use of
unprivileged user namespaces using the nautilus label.
https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Fixes: https://bugs.launchpad.net/bugs/2047256
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1161
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Nautilus uses user namespaces to load thumbnails, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123
Although nautilus has extensions that would allow opening a terminal
from the nautilus interface, they do not inherit nautilus' AppArmor
label, therefore the use of unconfined does not allow arbitrary use of
unprivileged user namespaces using the nautilus label.
https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Fixes: https://bugs.launchpad.net/bugs/2047256
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit add fixes for issues found in coverity's snapshot 70858.
- CID 323127: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
- CID 323125: Uninitialized members (UNINIT_CTOR)
I'm also removing Novell, Inc. from the copyright notice added by a
copy-paste error, and an unused variable left over from debugging.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Precompile each filter regex with re.compile so they don't need to be
recompiled for each log message when using re.match directly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1158
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Precompile each filter regex with re.compile so they don't need to be
recompiled for each log message when using re.match directly.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
aa-unconfined can fault if it looses the race between checkking if
proc/*/attr/{apparmor/,}current exists, and actually opening the file.
Catch open/file errors and ignore them like the file doesn't exist.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/355
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current attachment works from the commandline but not from
gnome as it uses an alternate path.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/368
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow notification filtering of the fields profile, operation, name,
denied_mask, net_family and net_socket using regex. Both command line
and config options in notify.conf are available.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1154
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Allow notification filtering of the fields profile, operation, name,
denied_mask, net_family and net_socket using regex. Both command line
and config options in notify.conf are available.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https://bugs.launchpad.net/bugs/1939022
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1152
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https://bugs.launchpad.net/bugs/1939022
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Failures on regex and exec are related to /usr/bin and /bin merge.
The userns failure is related to the addition of the unprivileged_userns
profile and the kernel ability to transition to it when an unconfined
unprivileged user namespace is created.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1146
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The help message from aa-status referenced -h filter when it should
have been -h filters. Also added some whitespaces for consistency.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1151
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The short form of the help parameter was not accepting an optional
argument as described in the help message. Update the help message to
remove the extra whitespace in between -h and the options since
getopt(1) says that
"If the option has an optional argument, it must be written directly
after the option character if present."
even though that's not described in getopt(3).
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The help message from aa-status referenced -h filter when it should
have been -h filters. Also added some whitespaces for consistency.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
element-desktop needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123!1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
!1109
is merged.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1150
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Some openssl distributions use version specific engdef and engines paths
to support multi-version installations.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571
Signed-off-by: David Disseldorp <ddiss@suse.de>
These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.
Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
There is a kernel feature, available under
namespaces/userns_create/pciu&, that enables the transition of
unconfined tasks to a special profile called unprivileged_userns when
they try to create an unprivileged user namespace with
clone/unshare. This transition allows the creation of the unprivileged
user namespace but hinders its privileges by not allowing
capabilities. Refer to the unprivileged_userns profile to check what
rules are allowed.
If either the feature is not present in the kernel, or the
unprivileged_userns profile is not loaded, then the defined behavior
is to deny the creation of the unprivileged user namespace
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Some of the tests are failing because of /usr/bin/true vs /bin/true.
Similarly to what was done in 8c09b328, to make the tests more
reliable, copy the true binary to $tmpdir and use this path on the
tests instead.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
