parser/apparmor.systemd: fix minor issues detected by shellcheck
See merge request apparmor/apparmor!293
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
profiles/apparmor.d/abstractions/X: make x11 socket read-only
Write access isn't needed for connecting to x11 socket. Also clear some duplicate and redundant rules in other abstractions.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/281
Acked-by: John Johansen <john.johansen@canonical.com>
/var/lib/dhcp/dhcpd6.leases path for lease file on IPv6 has been in
dhcp repository since 2008, now visible in commit 8dea7ba7 ("Add DHCPv6
files in configure").
Signed-off-by: Petr Vorel <pvorel@suse.cz>
/var/lib/dhcp/dhclient6.leases path for lease file on IPv6 has been in
dhcp repository since 2008, now visible in commit 8dea7ba7 ("Add DHCPv6
files in configure").
Adding it via extending dhclient-*.leases pattern.
Not sure whether /var/lib/dhcp6/dhclient.leases was ever used on Linux,
but keep in for backward compatibility.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Split out RE_FLAGS
... instead of having it duplicated in RE_PROFILE_HAT_DEF and RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/287
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot: allow reading /proc/sys/fs/suid_dumpable
This is needed if a dovecot child process segfaults - in this case, dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.or /bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
I propose this fix for 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
Acked-by: John Johansen <john.johansen@canonical.com>
Ignore *.orig and *.rej files when loading profiles
This was "accidently" reported by Ralph on the opensuse-support
mailinglist.
I propose this for 2.10..master (I verified that 2.10 tools and libapparmor have *.orig and *.rej in the ignore list)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/282
Acked-by: John Johansen <john.johansen@canonical.com>
dnsmasq profile updates by Petr Vorel
This merge request includes two dnsmasq profiles Petr Vorel sent to the mailinglist:
dnsmasq: Add pid file used by NetworkManager
dnsmasq: Adjust pattern for log files to comply SELinux
I propose these patches for 2.11..master.
I'm not against also backporting to 2.10, but the profile in 2.10 doesn't allow to write anything in /var/log/, so either we apply/backport the changes manually, or we rely on the fact that we didn't get any bugreports for it ;-) Oh, and since I'm only forwarding these patches, I'll already add
Acked-by: Christian Boltz apparmor@cboltz.de for 2.11..master
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
... instead of having it duplicated in RE_PROFILE_HAT_DEF and
RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
In fed101920b, the coverity build process
was modified to split out the build logs into separate files, instead of
having one log file that gets overwritten repeatedly, making failures
hard to debug.
However, the coverity service gets upset if there is no file named with
the expected build log name. Therefore, instead, we'll capture the
python bits first, and then capture all the compilation bits in one
cov-build command.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/273
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
`/etc/letsencrypt/live/` contains symlinks to
`/etc/letsencrypt/archive/` which contains the keys. Add the
certs to ssl_certs and the private keys to ssl_keys.
Grant the ability to communicate with the postfix named child profiles
via signals and unix sockets. Include the path-based match names as
a fallback on upgrades.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Convert all the postfix subprocesses to using named profiles instead of
path match profiles, and adjust exec paths for newer debian/ubuntu
releses. Rename profiles to match profile names.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Convert postfix's master profile to use a named profile
(postfix-master) rather than the exec path match pattern. Adjust
postfix-common abstraction to take this into account. Rename profile
name in the profiles/apparmor/profiles/extras/ directory to match
the profile name.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f1839 the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
