adjust abstractions/base and nameservice for /usr/etc/ move
See merge request apparmor/apparmor!447
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <john.johansen@canonical.com>
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
abstractions/gnome: also allow /etc/xdg/mimeapps.list
See merge request apparmor/apparmor!444
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
add missing *.d include to dbus-network-manager-strict abstraction
See merge request apparmor/apparmor!448
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Fixes two resource leaks. https://scan.coverity.com/projects/apparmor
I don't actually know how to link to the individual reports but the
first one comes from an early return. The second comes from an iterator
potentially being empty.
/run/uuidd/request is hardcoded in libuuid from util-linux and uuidd
listens on this socket to provide random and time-based UUIDs in a
secure manner (man 8 uuidd). Some applications (eg, python's uuid)
prefer to use this socket, falling back to getrandom(), /dev/urandom,
etc. Eg:
$ strace -f aa-exec -p test -- \
python3 -c 'import uuid ; print("%s\n" % str(uuid.uuid1()))'
...
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = -1 EACCES (Permission denied)
getrandom("\x8e\x89\xa5\xe7\x39\x1b", 6, GRND_NONBLOCK) = 6
...
uuidd itself produces random numbers using getrandom() and
/dev/{,u}random (falling back to time-based if not), which are already
allowed in the base abstraction. The uuidd daemon, when available, runs
unprivileged under a dedicated user, so allowing read-only access to
/run/uuidd/request is reasonable.
Make kde-open5 abstraction more conservative by removing gstreamer
support by default. Update usage example to suggest conditionally including
gstreamer abstraction if required.
Update kde-open5 abstraction to not include accessibility abstraction by
default.
Update documentation to suggest adding it manually in child profile when
using kde-open5 if accessibility access is required by profile author.
Update exo-open abstraction to not include accessibility abstraction by
default.
Update documentation to suggest adding it manually in child profile when
using exo-open if accessibility access is required by profile author.
In case of error (for example failing to open provided uri) message box
is show, and alert sound is played. Currently `exo-open` abstraction
does not allow access to audio subsystems in result producing denials in
system logs.
Update abstraction to include `abstractions/audio`.
Implement set of abstractions to handle opening uris via xdg-open and similar
helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together
with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for
fine-grained control on what confined application can actually open via xdg-open
and similar helpers.
This helped a lot to debug the CI failure caused by 3db14e8e / !430 (merged), and won't add any noise as long as configure succeeds.
Note that this MR is based on master without !433 (merged) which means it will fail in CI (and display config.log). After !433 (merged) got merged, I'll rebase it to show that it won't add additional noise as long as everything works.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/434
Acked-by: John Johansen <john.johansen@canonical.com>
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.
Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/409
Acked-by: John Johansen <john.johansen@canonical.com>
Requires NPAPI which no major browsers support anymore: Mozplugger npviewer / nspluginwrapper
The following have been discontinued Google Talk (and plugin) f-spot conkeror galeon Mozilla Prism rekonq Adobe Reader for Linux
Other gnome-codec-install is not in Ubuntu anymore gstreamer0.10 was replaced by 1.0
PR: https://gitlab.com/apparmor/apparmor/merge_requests/417
Acked-by: John Johansen <john.johansen@canonical.com>
Add support for out of band transitions that be to separate elements that can contain any input character. Out of band transitions can only be triggered by explicit transitions in the code (instruction stream). They function the same as the null transition except they work for all input and when writing expressions there is no need to not match them.
The out of band transitions show up in the dfa as negative offsets from the base. Currently only a single out of band transition of -1 is supported, but it is fairly trivial to add new ones if needed. The negative offset for out of band transitions were chosen instead of positive offsets that are out of input range to leave open the option of extending the input range in the future.
kernel patches: apparmor-kernel!6
v2.
fix spacing error identified by cboltz
update commit messages and signed-off-bys
allow globbing in xattrs to match NULL character
free leaked xattr cond_entry_list
make xattr generation conditional on kernel support
v3.
fix crash in commit: parser: make sure xattr cond_entry_list is not leaked
port eric's patch from !362 "support matching xattr keys but not values" to work with out of band transitions, and not a separate value array
v4.
double free fix crash of xattr.name in parser: make sure xattr cond_entry_list is not leaked
remove xattr/bad_XX tests that are no longer bad because attr names do not have to have a value specified
v5
fix bug in append_rule where the out of band transition was being converted to character 255
v6
fix bug in writing of dfa header flags value
v7
fix bug in out of band transitions where they could in certain cases be matched by an expression and hence not function as a separator.
fix xattr encoding so xattr presence can be determined distinctly from xattr value
fix xattr encoding so xattrs are not treated as optional
fix xattr encoding so that permissions are properly encoded at the end of each segment match
update xattr regression tests to make failures unique and reflect that nul character values are now allowed
v8
update transchar comment
v9
update tranchar comment
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time Out
Update the xattr_profile.sh tests so that
- each test can be uniquely identified
- the embedded nul tests are updated to the now supported/passing state
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current encoding makes every xattr optional and uses this to
propogate the permission from the tail to the individual rule match
points.
This however is wrong. Instead change the encoding so that an xattr
(unless optional) is required to be matched before allowing moving
onto the next xattr match.
The permission is carried on the end on each rule portion file match,
xattr 1, xattr 2, ...
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make sure we can support optional xattrs distinct from optional xattr
values in the encoding.
Currently all xattrs specified are required to be present even
if there value is not specified. However under the old encoding there
was no way to distinguish if the presence of the xattr vs. the
xattr having a null length value.
Fix this so that if we decide to support optional xattrs it is possible
without having to change the abi.
Signed-off-by: John Johansen <john.johansen@canonical.com>
