Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/707092
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
[Note that the second half of the OpenSUSE patch had already been applied.]
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This patch fixes a logprof bug where when profiles with variable
declarations at the top level (not hidden in an include) were written
back to a file, a trailing comma was being added to the declaration
statement, which is invalid apparmor policy syntax. This patch corrects
this and no longer adds the trailing comma.
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/706733
rename_dest, and mkdir operations into account, as well as add
logparsing library testcases for those operations.
Bug: https://bugs.launchpad.net/apparmor/+bug/623467
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Update log parser grammar to handle new LSM-audit log messages.
Add testcases for new LSM-audit log messages.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Kees Cook <kees@ubuntu.com>
- Update matching regex for reordered kernel audit messages (when they
come through syslog). Ideally, rather than use a regex, the utils would
just use the log parsing library to determine whether it's a log even
of interest.
- fix debugging code write a logfile in /var/log/apparmor and not a
predictable location in /tmp; File::Temp would be the right solution
except that the log file is created in a BEGIN clause, and
File::Temp.new() ends up returning an unopened filehandle in that
situation, so logging fails. Someone with more perl-fu may know how to
fix that.
Fork tracking is broken by the kernel message for clone no longer supplying
the child pid correctly. Instead the parent pid will be output with each
message and the tools will fake a fork when they detect a previously
unknow parent child relationship.
- flags being dropped from hats
- rules can be poorly split on writing the profile
- identical rules with different permissions are not properly combined, so
that only permissions of the last rule are kept
- rpc was failing when passing arrays because the perl is_utf8 string flag
was set even though its only sending numbers but newer HTTP::Message
checks for this is_utf8 and if it finds it aborts.
- fix local profiles
local profiles were failing because
1.) the parameters to serialize_profile were bad
2.) the file location was not getting updated so they would get written
back to the inactive profiles directory
