Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/707092
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
[Note that the second half of the OpenSUSE patch had already been applied.]
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder <isis.binder@gmail.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
license/copyright statement. It should have been covered under both
the Immunix acquisition by Novell Inc and by the open sourcing of
the apparmor tree by Novell Inc.
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This patch fixes a logprof bug where when profiles with variable
declarations at the top level (not hidden in an include) were written
back to a file, a trailing comma was being added to the declaration
statement, which is invalid apparmor policy syntax. This patch corrects
this and no longer adds the trailing comma.
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/706733
* add Canonical to the headers of the pod files touched
* use aa_change_hat() instead of change_hat() (LP: #692216)
* use http://wiki.apparmor.net in the SEE ALSO
* use http://https://bugs.launchpad.net/apparmor/+filebug for bugs
* prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain'
for 'complain')
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
rename_dest, and mkdir operations into account, as well as add
logparsing library testcases for those operations.
Bug: https://bugs.launchpad.net/apparmor/+bug/623467
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Update log parser grammar to handle new LSM-audit log messages.
Add testcases for new LSM-audit log messages.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Kees Cook <kees@ubuntu.com>
These commits should bring apparmor_notify and apparmor_notify.pod
up to what is in trunk. In short:
- add long options
- cleanup output
- better handle auditd
- handle logfile rotation
- use seteuid() to drop privileges so we can raise/drop after log
file rotation. Add -u USER option for dropping privileges when not
using sudo
- man page updates
- group like entries together when using -v with -s (and later cleanups
including LP: #582075)
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
For now just look at 'name=...' which is usually the last in the log entry,
so validate input against this and output based on it.
TODO: better handle other cases too
- Update matching regex for reordered kernel audit messages (when they
come through syslog). Ideally, rather than use a regex, the utils would
just use the log parsing library to determine whether it's a log even
of interest.
- fix debugging code write a logfile in /var/log/apparmor and not a
predictable location in /tmp; File::Temp would be the right solution
except that the log file is created in a BEGIN clause, and
File::Temp.new() ends up returning an unopened filehandle in that
situation, so logging fails. Someone with more perl-fu may know how to
fix that.
Fork tracking is broken by the kernel message for clone no longer supplying
the child pid correctly. Instead the parent pid will be output with each
message and the tools will fake a fork when they detect a previously
unknow parent child relationship.
/usr/bin/rsyncd) bnc#408869
The unconfined tool shows:
[...]
29799 /usr/bin/rsync not confined
29799 /usr/bin/rsync not confined
This is because unconfined is grabbing the post symlink resolved exe filename
which for /usr/sbin/rsyncd is /usr/bin/rsync.
To fix this provide both the cmdline and exec name in parenthesis when the
exe name and the cmdline name differ.
For the above example you would see
29799 /usr/bin/rsync (/usr/sbin/rsyncd) not confined
- flags being dropped from hats
- rules can be poorly split on writing the profile
- identical rules with different permissions are not properly combined, so
that only permissions of the last rule are kept
