Though many Linux distros choose to pass _/usr/lib_ as the libexecdir while configuring dovecot, such as [Debian](https://sources.debian.org/src/dovecot/1%3A2.3.20%2Bdfsg1-1/debian/rules/#L132) and [Arch](https://gitlab.archlinux.org/archlinux/packaging/packages/dovecot/-/blob/main/PKGBUILD#L76), others like Alpine Linux and Gentoo don't pass anything as libexecdir, allowing it to default to _/usr/libexec_.
Both appear to be valid. From [FHS 3.0, Chapter 4.7](https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html):
> Some previous versions of this document did not support _/usr/libexec_, despite it being standard practice in a number of environments. To accomodate this restriction, it became common practice to use _/usr/lib_ instead. Either practice is now acceptable, but each application must choose one way or the other to organize itself.
Allow for the default libexec subdir _/usr/libexec/dovecot_ as well as the more common
_/usr/lib/dovecot_.
Signed-off-by: Peter Levine <plevine457@gmail.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1080
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 941118c699)
37ffc6ea profiles: allow for the default dovecot libexecdir
Apologies for the second push; this change is made with the understanding that the abstraction is not intended to be solely read-only.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1059
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5b7e637872)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun 8 21:09:38 testvm kernel: [ 54.847014] audit: type=1400 audit(1686272978.009:68): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=1035 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
Not sure what glibc/system call uses this, but it seems pretty broadly applicable, and read access is presumably harmless. [THP reference](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1050
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ad3750058d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.
type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Closes#333
Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>
Closes#333
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 6e0d776f65)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening
audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0
This MR should be cherry-picked into 2.13, 3.0, 3.1
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit a00ece5b6e)
daec4bc8 profiles: add lock file permission to snap browsers
`unscd` is a drop-in replacement for `nscd` that uses the same binary location (`/usr/sbin/nscd`) and config file (`/etc/nscd.conf`). The `usr.sbin.nscd` profile only needs one additional permission to support it.
```
May 9 18:07:42 darkstar kernel: [ 2706.138823] audit: type=1400
audit(1683670062.580:839): apparmor="DENIED" operation="sendmsg"
profile="nscd" name="/run/systemd/notify" pid=4343 comm="nscd"
requested_mask="w" denied_mask="w" fsuid=125 ouid=0
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1031
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit dec3815f07)
bd0d401b nscd: add permission to allow supporting unscd
... by allowing to read all files below ~/.icons instead of only the
directory listing.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1008
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit fa86a7f1d9)
954b11fc abstractions/freedesktop.org: allow custom cursors
(Don't remove rules from the usr.sbin.{dnsmasq,nmbd,winbindd} profiles,
however, as these have been transferred to abstractions which might not
be correctly updated on a user system)
This is used by various applications including libreoffice etc so it may as well
be added to the base abstraction along with the existing zoneinfo DB access.
AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1007
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 8d9985ac0b)
c691b11d abstractions/base: allow reading tzdata ICU zoneinfo DB
For example winbindd when configured on a samba system using
sssd can trigger
apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/winbindd" name="/usr/lib64/krb5/plugins/authdata /sssd_pac_plugin.so" pid=2798 comm="winbindd" requested_mask="m" denied_mask="m" fsuid=52311 ouid=0
Signed-off-by: Noel Power <noel.power@suse.com>
(cherry picked from commit 6e94794c68)
On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`.
apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The same is true for `nmbd.pid`, `smbd.pid` and probably others too.
(cherry picked from commit 6f0d2ef7fe)
samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.
audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
See also https://bbs.archlinux.org/viewtopic.php?id=281411
Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.
(cherry picked from commit 763c4ecd23,
with cleanup of now-superfluous rules in usr.sbin.nmbd and
usr.sbin.winbindd dropped)
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25
Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.
I also added `include if exists <abstractions/groff.d>`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/973
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 238eb8150b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
openSUSE Tumbleweed uses /etc/ssl/openssl-1_1.cnf to make the migration
to openssl 3 possible.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911
I propose this patch for at least 3.1 and master, ideally for all branches (as long as it can easily be merged)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/984
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f223ed063e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Seen/needed on openSUSE Tumbleweed
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/981
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3e89b4aab2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... for var/lib/nscd/passwd and var/lib/nscd/group
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/960
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2c72dd5541)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The local include in firefox.sh was just added today. Change it to the
value we have in master (as soon as !975 gets accepted).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/976
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Recently got bitten by `usr.sbin.lighttpd` not having the local include, so I figured I'd bring all the `extras/` profiles up to parity.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/974
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 8895e00ef1)
d0e32a32 Ensure all profiles in extras/ have optional local include + comment
Resolves#292.
This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.
Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```
In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```
I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.
If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21 capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024).
Closes#292
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5fd8c25745)
Signed-off-by: John Johansen <john.johansen@canonical.com>
- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny
I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bb30df7843)
d15bfa99 Extend crypto and ssl_certs abstractions
(reported on the opensuse-factory mailinglist)
I propose this patch for 2.13..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/948
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ba01d479e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.
That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.
apparmor="DENIED" operation="open" class="file" ...
name="/sys/devices/system/cpu/possible" ...
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.
Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c159d0925a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 8fa77e9e6c)
5232eaa2 Adds /mnt/wsl/resolv.conf to nameservices.
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.
I propose this patch for 2.13..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The upstream php-fpm.conf file carries the following pid file example
path:
[global]
; Pid file
; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
; Default Value: none
;pid = run/php-fpm.pid
Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>
Closes#267
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit d024100efe)
d8533ec8 profiles: permit php-fpm pid files directly under run/
Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161
I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161
profiles/Makefile:
Set PYTHON_DIST_BUILD_PATH using
libraries/libapparmor/swig/python/test/buildpath.py as it solves the
problem of setting the build directory generically.
