... now that they all got it added.
Also remove a superfluous backslash in another make target.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/980
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... to just the basename and profile name.
This also means to make the firefox and firefox.sh profiles named profiles.
Note: in the `firefox.sh` profile, the local include was added just today, therefore I think changing it (instead of adding) should be fine.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/975
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25
Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.
I also added `include if exists <abstractions/groff.d>`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/973
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This MR addresses step 1 of 6 in #280, i.e. merging Launchpad translations into `master`. Tests are currently failing in this branch due to newly-introduced hotkey conflicts. I therefore prefixed this MR's title with "Draft: " to prevent premature merging. How would you like these hotkey conflicts resolved?
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/966
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... for var/lib/nscd/passwd and var/lib/nscd/group
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/960
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This was due to the values being defined in both af_unix and af_rule leaving the latter values unset.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/979
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Recently got bitten by `usr.sbin.lighttpd` not having the local include, so I figured I'd bring all the `extras/` profiles up to parity.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/974
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25
Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.
I also added `include if exists <abstractions/groff.d>`
Resolves#292.
This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.
Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```
In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```
I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.
If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21 capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024).
Closes#292
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs.
So we are adding support to parse "method" the same way as "member" on D-Bus audit logs.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny
I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The key of SYSV message queues is an integer and the kernel uses an
integer to store the key. In order to improve performance when
travelling the DFA in the kernel, we should use an integer instead of
the string.
This [patch](5501f45f40) contains a rough implementation of what that would look like on the kernel side
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/968
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The key of SYSV message queues is an integer and the kernel uses an
integer to store the key. In order to improve performance when
travelling the DFA in the kernel, we should use an integer instead of
the string.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The mqueue tests were using the previous format which was specific for
capabilities. The qual= prefix should be used instead.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
dbus-broker requires some modification of the test suite. In summary:
* refactor to support starting and stopping both dbus and dbus-broker.
* Make it so we can run the tests on each, where appropriate
* skip unrequested reply and eavesdrop tests for dbus broker because they are not supported.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/965
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
DBus Broker was enabled for the dbus_message and dbus_service
regression tests.
The dbus_eavesdropping test does not run with dbus-broker because
eavesdropping was deprecated in favor or monitoring, so new tests for
the "BecomeMonitor" method need to be added.
The dbus_unrequested_reply test is also not supported by dbus-broker,
therefore the tests are skipped.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.
Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.
Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/963
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The test "eavesdrop (confined w/o dbus perms)" was failing for the
wrong reason. While it should fail because it is missing dbus rules, it
was actually failing because it didn't have the required unix rule.
The error message was:
"FAIL: Failed to open connection to "session" message bus: Failed to open socket: Permission denied"
Corresponding audit log:
[28306.743863] audit: type=1400 audit(1671048091.505:297): apparmor="DENIED" operation="create" class="net" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" pid=6787 comm="dbus_eavesdrop" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
After the change, the error message is:
FAIL: Failed to open connection to "session" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
Corresponding audit log:
[28444.248268] audit: type=1107 audit(1671048229.009:300): pid=6826 uid=0 auid=1000 ses=5 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6854 label="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The profile generated by dbus did not include this rule
which caused the following DENIED audit logs:
[26937.013475] audit: type=1400 audit(1671046721.776:246): apparmor="DENIED" operation="getattr" class="file" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_message" name="/tmp/sdtest.5720-14413-VQMPsH/output.dbus_message" pid=5866 comm="dbus_message" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/964
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
getopt returns an int, not a char.
Error caused by this issue could only be observed on non-x86 systems.
Closes LP#2000359
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/962
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Steve Beattie <gitlab@nxnw.org>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.
Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.
Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
getopt returns an int, not a char.
Error caused by this issue could only be observed on non-x86 systems.
Closes LP#2000359
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
small fixes on log parsing
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
If the "operation" field is not present, we get the following error:
AttributeError: 'NoneType' object has no attribute 'startswith'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
