Out of the box the KDE plasma-browser-integration package does not work
after a user installed the corresponding Firefox extension: The browser
can't start the native host binary. The same is probably true for
Chromium.
This was originally reported to KDE at https://bugs.kde.org/show_bug.cgi?id=397399
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1115
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Even if this is very unlikely to happen (because of the previously added
test, and because CapabilityRule only allows to specify known severity
keywords), ensure proper behaviour if an unknown severity gets rated.
- convert a string parameter to a list to avoid duplication of the
validation logic
- add separate check for empty cap_list
- remove check for empty strings - the previous commit already added
such a check to the for loop. Also, move the comment to that check.
... and error out if an unknown capability is given.
This also means recognizing bad capabilities in the parser simple_tests
now works (so remove these from the exception_not_raised list), and that
we can no longer hand over an unknown capability in test-capability.py
to test their severity.
... instead of non-existing ones.
This is a search-and-replace commit:
ptrace -> sys_ptrace
chgrp -> fowner (because fowner wasn't used in the test before)
Out of the box the KDE plasma-browser-integration package does not work
after a user installed the corresponding Firefox extension: The browser
can't start the native host binary. The same is probably true for
Chromium.
This was originally reported to KDE at https://bugs.kde.org/show_bug.cgi?id=397399
tools.py contained quite some things that need a big cleanup.
See the individual commits for details and more readable diffs.
Note: This MR "only" does cleanups and some refactoring. It does not change the (user-visible) behaviour of the code.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1114
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This also means we can get rid of most cleanprof-specific conditions
without changing the behaviour (because the other functions don't use
'profile' yet).
Also hand over prof_filename to clean_profile() so that it doesn't need
to find it out itsself.
Before, the 'profile' return value was either a profile name or a
profile filename, depending on the active module (cleanprof vs.
everything else).
Separate the return values so that it's clear what we get.
Notes:
- This commit doesn't change functionality, only the number of return
values and some variable names.
- There's no guarantee that all return values are set. They can also be
None. (This might change in the future.)
Also adjust the callers of get_next_to_profile(), and rename 'profile'
to 'prof_filename' in calling functions that actually use the profile
filename.
Add init function support to skip incus prefixed policy like is done for lxc and lxd
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1112
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Since the unittests now compare a dict that contains an AARE, this also needs:
AARE: add `__eq__()` to allow checking aare1 == aare2
... and add some tests for it
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1111
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).
The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.
However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351
.
The fix needs an additional function in ProfileList (`profile_from_attachment()`) to get the profile name for a given attachment.
Since this is not very different from filename_from_attachment(), move
most of the code into a thing_from_attachment() function, and make
{profile,filename}_from_attachment wrappers for it.
Also adjust the tests to the changed internal data structure, and add
tests for profile_from_attachment().
I propose this patch for 3.0..master. (3.0 will probably need a slightly different patch - I'll submit a separate MR once this MR is merged.)
Closes#351
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1108
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).
The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.
However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351
... to get the profile name for a given attachment.
Since this is not very different from filename_from_attachment(), move
most of the code into a thing_from_attachment() function, and make
{profile,filename}_from_attachment wrappers for it.
Also adjust the tests to the changed internal data structure, and add
tests for profile_from_attachment().
Extend the policy syntax to have a rule that allows specifying all
permissions for all rule types.
allow all,
This is useful for making blacklist based policy, but can also be
useful when combined with other rule prefixes, eg. to add audit
to all rules.
audit access all,
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1103
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Extend the policy syntax to have a rule that allows specifying all
permissions for all rule types.
allow all,
This is useful for making blacklist based policy, but can also be
useful when combined with other rule prefixes, eg. to add audit
to all rules.
audit access all,
Signed-off-by: John Johansen <john.johansen@canonical.com>
This lays the ground work for fine grained network mediation. The switch to using the rules class brings the advantages of shared infrastructure and is needed for tracking all the different combinations possible with finer control.
In addition range generation and support for large numbers (needed for ipv6) are added. This patchset does not make policy visible changes to network rules.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1104
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Since network rules don't use the "perms" attribute, it is using the
dedup class in which duplicate rules are removed.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
There is one significant difference in the encoding of the network
rules. Before this change, when the parser was encoding a "network,"
rule, it would generate an entry for every family and every
type/protocol. After this patch the parser should generate an entry
for every family, but the type/protocol is changed to .. in the pcre
syntax. There should be no difference in behavior.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
using dfprintf for error messages subjects them to the other
output controls and can cause them to be surpressed when they
shouldn't.
Instead use a dedicated error function and add a quiet flag to
allow silencing errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1102
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
using dfprintf for error messages subjects them to the other
output controls and can cause them to be surpressed when they
shouldn't.
Instead use a dedicated error function and add a quiet flag to
allow silencing errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
By default aa-status outputs with --verbose enabled - if --json is also
specified then aa-status would currently output in its first line "apparmor
module is loaded.":
aa-status --json | head -n1
apparmor module is loaded.
And only after this the actual json output would follow. This then results in
failures to parse this JSON output:
aa-status --json | jq .
parse error: Invalid numeric literal at line 1, column 9
This in turn then breaks tools / tests which expect the output of aa-status
--json to be purely json - e.g:
https://salsa.debian.org/apparmor-team/apparmor-profiles-extra/-/blob/debian/unstable/debian/tests/policy-is-loaded#L12
So ensure dprintf() etc do not output when --json is specified to restrict the
output of aa-status to pure JSON.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1097
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>
coverity is reporting an overrun of the profile_mode_table
217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT)
>>> CID 322989: (OVERRUN)
>>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6).
this is because it is being indexed by the profile_mode enum which can
go up to a 6th entry. The code tests for MODE_CONFLICT before using
the table so it shouldn't trigger a bug today, but play it safe for
the future and also get rid of the coverity scan error by adding a
"conflict" entry to the mode_table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1098
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
SIGNAL makes more sense because it's about a single signal.
Besides that, a9494f5523 introduced a (at
that point broken) usage of SIGNAL which becomes valid with this commit.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1100
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
