crypto allows reading /etc/gcrypt/random.conf, which is possibly needed
for all programs that use libgcrypt.
Reported by darix, he has seen it with vivaldi.
See https://gitlab.com/redhat-crypto/fedora-crypto-policies for details.
Reported by darix and also my own audit.log - the actual denial was for
/usr/share/crypto-policies/DEFAULT/openssl.txt.
Also allow the /etc/crypto-policies/ counterpart.
(I'm aware that the crypto policies are not really certificates, but
since they are used by several crypto libraries, ssl_certs is probably
the best place for them even if the filename doesn't match.)
the video abstraction currently it only contains the following rules:
@{sys}/class/video4linux r,
@{sys}/class/video4linux/** r,
Judging by the v4l path, this abstraction should be used whenever some
app wants to use for instance a webcam or other USB cameras to stream
video usually in chat apps. I was testing some apps, and it looks like
the following rules are needed to make the video streaming possible:
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/159
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/740
Signed-off-by: John Johansen <john.johansen@canonical.com>
Apparmor provides the wayland abstraction, but it looks like it misses
some rules. For instance, there are many wayland compositors which are
based on wlroots, and it looks like that when you try to use such
compositor, all GUI apps executed in the graphical environment can't
work properly (they don't event start). They all want the following
rule:
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/143
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/725
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently the wutmp abstraction has the following rules:
/var/log/lastlog rwk,
/var/log/wtmp wk,
@{run}/utmp rwk,
According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule? The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724
Signed-off-by: John Johansen <john.johansen@canonical.com>
My main user account is managed by systemd-homed. When I enable
AppArmor and have nscd running, I get inconsistent behavior with my
user account - sometimes I can't log in, sometimes I can log in but
not use sudo, etc.
This is the output of getent passwd:
$ getent passwd
root❌0:0::/root:/usr/bin/zsh
bin❌1:1::/:/sbin/nologin
daemon❌2:2::/:/sbin/nologin
mail❌8:12::/var/spool/mail:/sbin/nologin
ftp❌14:11::/srv/ftp:/sbin/nologin
http❌33:33::/srv/http:/sbin/nologin
nobody❌65534:65534:Nobody:/:/sbin/nologin
dbus❌81:81:System Message Bus:/:/sbin/nologin
[...]
rose❌1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh
But getent passwd rose and getent passwd 1000 both return no output.
Stopping nscd.service fixes these problems. Checking the apparmor
logs, I noticed that nscd was denied access to
/etc/machine-id. Allowing access to that file seems to have fixed the
issue.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/707
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/145
Signed-off-by: John Johansen <john.johansen@canonical.com>
- On Arch Linux certificates are extracted to /etc/ca-certificates/ by the update-ca-trust script.
- /etc/libressl/ is used by Arch Linux's libressl package.
- Combine rules to reduce number of lines.
With the exception of the documentation fixes, these should all be
invisible to users.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```
This results in fatal error:
```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```
Add rule to allow reading dh.pem.
Unfortunately in apparmor sockets need `rw` access. Currently x11 can only work if abstract socket is available and used instead so those restrictions won't trigger.
partially reverts c7b8368216
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/664
Acked-by: John Johansen <john.johansen@canonical.com>
[Fontmatrix](https://github.com/fontmatrix/fontmatrix) [adds \~/.Fontmatrix/Activated to fonts.conf](https://github.com/fontmatrix/fontmatrix/blob/75552e2/src/typotek.cpp#L1081-L1088). This causes programs which use [Fontconfig](https://gitlab.freedesktop.org/fontconfig/fontconfig) (directly or indirectly through libraries such as [Pango](https://pango.gnome.org/)) to include that directory in their font search path, which causes errors such as:
```
audit: type=1400 audit(1602678958.525:53): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/username/.Fontmatrix/Activated/.uuid" pid=48553 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
audit: type=1400 audit(1602678958.525:54): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/username/.Fontmatrix/Activated/" pid=48553 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
```
if the program does not explicitly include this directory in its AppArmor profile. As with other common font locations, add `~/.Fontmatrix/Activated` to the fonts abstraction for read-only access.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/657
Acked-by: John Johansen <john.johansen@canonical.com>
Unfortunately in apparmor sockets need rw access. Currently x11 can only work if abstract socket is available and used instead so those restrictions won't trigger. This partially reverts c7b8368216
[Fontmatrix] [adds ~/.Fontmatrix/Activated to fonts.conf]. This causes
programs which use [Fontconfig] (directly or indirectly through
libraries such as [pango]) to include that directory in their font
search path, which causes errors such as:
audit: type=1400 audit(1602678958.525:53): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/username/.Fontmatrix/Activated/.uuid" pid=48553 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
audit: type=1400 audit(1602678958.525:54): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/username/.Fontmatrix/Activated/" pid=48553 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
if the program does not explicitly include this directory in its
AppArmor profile. As with other common font locations, add
~/.Fontmatrix/Activated to the fonts abstraction for read-only access.
[Fontconfig]: https://gitlab.freedesktop.org/fontconfig/fontconfig
[Fontmatrix]: https://github.com/fontmatrix/fontmatrix
[Pango]: https://pango.gnome.org/
[adds ~/.Fontmatrix/Activated to fonts.conf]: https://github.com/fontmatrix/fontmatrix/blob/75552e2/src/typotek.cpp#L1081-L1088
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
This tightens the cache location in @{HOME}/.cache and also adds
the tmp fallback location.
Currently there are the following entries in the mesa abstraction:
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/91
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and allow dovecot to Px to it.
The profile is based on a profile I received in a bugreport, with the
actual script factored out. Note that you'll _need_ to add a rule to the
local/ include to allow executing the actual script, but since the
script to execute is configurable, it's basically impossible to add a
default rule for it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1166007
As of [48755ebf](https://www.openhub.net/p/dnsmasq/commits/1679009518), dnsmasq iterates through directory entries in /proc/self/fd/ to find which file descriptors are open to avoid the potentially costly operation of closing all possible file descriptors.
While the current profile does not make dnsmasq inoperable, this change permits AppArmor users running dnsmasq to avoid falling back on the generic code path.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/628
Acked-by: John Johansen <john.johansen@canonical.com>
New kernels provide an alternative proc attr interface for apparmor
which is needed for LSM stacking.
Update the remaining profiles that use the old interface to
include access to the new interface.
Signed-off-by: John Johansen <john.johansen@canonical.com>
As of [48755ebf], dnsmasq iterates through directory entries in
/proc/self/fd/ to find which file descriptors are open to avoid the
potentially costly operation of closing all possible file descriptors.
[48755ebf]: https://www.openhub.net/p/dnsmasq/commits/1679009518
LSM stacking adds new interfaces
/proc/<pid>/attr/apparmor/*
that should be used in preference of the old interface files in
/proc/<pid>/attr/*
The library has already been updated to use the new path but the
abstraction for change_profile has not so accessing the new interface
in a confined application fails.
Fix this by making the abstraction cover the old and new interfaces.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
- drop out dated maintenance comment
- cleanup profile name rules, and fix a few broken references
- /usr/lib -> /{usr,}/lib
- lib -> lib{,32,64}
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/611
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
Host files accessed by tcp_wrapper can reference other files, from man
5 hosts.allow
```
A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
```
This means adding a file to hosts requires updating multiple profiles
Add a hosts abstraction so users only have to modify a single location.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Ubuntu is dropping their chromium-browser profile because
chromium-browser has been made a snap on ubuntu. Suck in the profile
upstream as a reference profile for those who want to confine
chromium outside of a snap, and update its includes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/606
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
