Similarly to https://gitlab.com/apparmor/apparmor/-/merge_requests/689, use the
global CFLAGS when building Python library, so we honor extra flags set by
distributions, such
as -fstack-protector-strong -fstack-clash-protection -Werror=format-security -fcf-protection.
Spotted by blhc on Debian.
Gbp-Pq: Name Honor-global-CFLAGS-when-building-Python-library.patch
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1254
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 1ec42d8bec)
b7d75638 Honor global CFLAGS when building Python library
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Installation of php-fpm fails on Ubuntu because the profile does not allow writing to /run/systemd/notify.
Fixes: https://bugs.launchpad.net/bugs/2061113
Signed-off-by: Georgia Garcia georgia.garcia@canonical.com
I propose this fix for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1251
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 70ddb0ca5b)
49aa7ae3 profiles: installation of php-fpm needs w @{run}/systemd/notify
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
This partially reverts commit d1311cc93f.
During the cherry-pick, I incorrectly assumed the patches for fine
grained support of network rules from MR
https://gitlab.com/apparmor/apparmor/-/merge_requests/1216 were part
of apparmor-4.0, therefore the test cases added in commit d1311cc93f
fail.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
saddr, daddr, src and dest are used in network logs
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 6774654424)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/397
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
aa-remove-unknown doesn't deal properly with profiles that contain
spaces in their names.
Using profile "MongoDB Compass" as an example, awk's sub returns the
number of matches - either 1 or 0 and replaces the actual string ($0)
with the substitution. By accessing the return of sub with $, awk
would be accessing $1 which would return only "MongoDB".
Fix this by using $0 instead of $str.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#395
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1243
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 920120ffea)
7ef7704f utils: fix removing unknown profiles that contain spaces
Co-authored-by: John Johansen <john@jjmx.net>
While on it,
- add some comments explaining what the profile does
- adjust the rule with the Debian/Ubuntu path to work with Qt6
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961
I propose this fix for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1248
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit a6a121144b)
64469afa Add openSUSE path to plasmashell profile
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:
```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1246
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 5adeb86bbe)
7770cd71 abstractions/nameservice: allow reading @{PROC}/@{pid}/net/ipv6_route
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
I propose this patch for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1240
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit cf5be7d356)
cabd88a9 Fix aa-remove-unknown for 'unconfined' profiles
Co-authored-by: Georgia Garcia <georgia.garcia@canonical.com>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
(cherry picked from commit 60acc4a405)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1237
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
(cherry picked from commit 60acc4a405)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
I propose this fix for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1229
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 48a936e985)
b475ed0d Handle mount events/log entries without class
Co-authored-by: Georgia Garcia <georgia.garcia@canonical.com>
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit baa8b67248)
dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1228
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit baa8b67248)
dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Some argparse versions (for example on openSUSE Leap 15.5) instead say
"optional arguments:"
Don't rely on the "options:" line to allow both wordings.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1226
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Cherrypicked-by: Steve Beattie <steve+gitlab@nxnw.org>
Since we are using ubuntu:latest, and noble was released, some tests
are failing.
shellcheck needs python3 to run, which was possibly installed by
default in previous ubuntu images and is no longer the case.
Ignore dist-packages python files during our coverage tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#388
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1223
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
(cherry picked from commit 8c9ac7a84e)
731880de gitlab-ci.yml: fix pipeline for ubuntu:latest (noble)
aaad725a apparmor.systemd: fix shellcheck false positive
Co-authored-by: Steve Beattie <steve+gitlab@nxnw.org>
AppArmor 4.0.1 will be the official release superseding the 4.0.0 tag
the only change being it adds a regression test for CVE-2016-1585
- update version file
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is
mount options=(rw,make-slave) -> **,
to try to ensure that the generated and enforced policy is restricted to
what is intended.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 93c4c6fb9f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the man page for the recent inet mediation patch.
This is an extension of MR 1202, it adds a patch that changes the anonymous ip address anon to be ip address none which is a better fit.
This patch adds documentation of the recent network changes which extended all network rules to support access permissions, and added address and port matching for inet and inet6 families.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1213
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ab9e6311f3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When a family is specified in the network rules, we have to make sure
the conditionals match the family. A netlink rule should not be able
to specify ip and port for local and remote (peer) sockets, for example.
When type or protocol is specified in network rules along with inet
conditionals, we should only generate rules for the families that
support those conditionals.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/384
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#384
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1210
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a0acf7785d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This covers the various forms of the Transmission BT client. I've tested the `-gtk` one most thoroughly, and run through an ISO download with each of the other three.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1190
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 30a45ba82f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The bwrap and unshare profiles are special profiles in the same
vein as the unconfined profiles but they actual enforce restrictions
on the applications that are launched.
As such they have come to late in the 4.0 dev cycle to consider enabling
by default. Disable them but ship them so users or distros can easily
enable them.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/382
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#382
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1206
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 41d4664124)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This adds an unshare profile to allow it to function on a system
with user namespace restrictions enabled.
The child task of unshare will enter into a profile without capabilities
thus preventing unshare from being able to be used to
arbitrarily by-pass the user namespace restriction.
This profile does prevent applications launch with privilege (eg.
sudo unshare ...) from functioning so it may break some use cases.
Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1204
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2d59dc3d9b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This adds a bwrap profile to allow it to function on a system with
user namespace restrictions enabled.
The child task of bwrap will enter into a profile without capabilities
thus preventing bwrap from being able to be used to arbitrarily
by-pass user namespace restrictions.
This profile does prevent applications launch with privilege (eg.
sudo bwrap ...) from functioning so it may break some use cases.
Note: The unpriv_bwrap profile is deliberately stacked against the
bwrap profile due to bwraps uses of no-new-privileges.
Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1205
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b6f2a3d9d2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The version of tarball version of firefox downloaded from mozilla.org
installs to /opt/firefox/firefox. Support this location so that the
firefox from the tarball works.
Note this does not support running firefox from the users home directory
in this case the user must update the profile accordingly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fixes: https://bugs.launchpad.net/bugs/2056297
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1203
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2dfe6aeec2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The abstraction lxc/start-container shipped by the liblxc-common
package uses the following mount rule which was not allowed by our
regexes:
mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,
Since in AppArmor regex ** includes '/' but * by itself doesn't, I'm
adding explicit support for **.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/381
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1195
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit e96fdc0f5b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
