So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.
Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'
Prevent this crash by explicitely loading the abstractions on start.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682
(cherry picked from commit f6b3de7116)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
(cherry picked from commit 07bd11390e)
Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```
This results in fatal error:
```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```
Add rule to allow reading dh.pem.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a1978fb1b2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 35f6d49ec6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently mount options type= and options= do not expand variables
but they should. Fix it.
Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 882380ad3d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 47263a3a74)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 9a8fee6bf1)
prologue.inc:settest() in same cases invokes a sed command that uses
'~' as a pattern separator, on things that can contain filesystem
paths. However, in the debian/ubuntu world, '~' can be used in version
strings, particularly for pre-release versions, and when this happens
and the version is embedded in the path, the sed command breaks
because of the extraneous separator. Fix this by using '#' as a
separator, which has the benefit of being considered a comment if
accidentally interpreted by a shell.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/599
(cherry picked from commit efc6590409)
Signed-off-by: John Johansen <john.johansen@canonical.com>
These capabilities were introduced in Linux 5.8
References: https://bugs.launchpad.net/bugs/1890547
(cherry picked from commit ae01250209)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to the profiles/ check using the python utilities, the
tests for the python utilities were not including the path for the
swig libapparmor library in the LD_LIBRARY_PATH variable, only in
PYTHONPATH. This commit fixes that, renaming the variable used for
the built libapparmor check.
v2:
- actually use the LIBAPPARMOR_PATH variable when defining
LD_LIBRARY_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The commit c8b6d8b393 ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
When running the 'check-logprof' test using tools in the tree,
libapparmor needs to have been built for the python utilities to work.
Add a check for its existence to the test-dependencies target.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The "local" make target does not depend on the parser having been
built. Create a separate "test-dependencies" target and have the tests
that need them depend on that and the "local" target, when validating
the profile set against the apparmor tools.
Fixes: c8b6d8b393
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit c8b6d8b393)
Seen on openSUSE Tumbleweed with the mail users in a mysql database.
(cherry picked from commit f7ab91f423)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed when using the "apparmor" plugin which means dovecot
switches to user-specific hats.
Seen on openSUSE Tumbleweed.
(backported from commit 6a388859f8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
(cherry picked from commit 373e8e23b1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor.vim: allow leading whitespace for alias rules
See merge request apparmor/apparmor!527
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit ae70ecfbaa)
c636580f apparmor.vim: allow leading whitespace for alias rules
Bug-Debian: https://bugs.debian.org/943657
Author: Matthias Klose <doko@debian.org>
(cherry picked from commit ccbf1e0bf1)
The default ubuntu:latest docker image has moved to ubuntu 20.04
LTS which includes python 3.8. Without this fix, the libapparmor
configure script fails against python 3.8, as seen in the gitlab
CI build failures.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/519
Privacy statement
See merge request apparmor/apparmor!441
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 4281b58c89)
bfde89a6 infrastructure: Add privacy statement to the README
usr.sbin.dnsmasq: update to support dnsmasq 2.81
See merge request apparmor/apparmor!475
Acked-by: Christian Boltz for 2.11..master
(cherry picked from commit acafe9de82)
88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf920929)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/gnome: also allow /etc/xdg/mimeapps.list
See merge request apparmor/apparmor!444
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 3becbbab2c)
67cf4fa3 abstractions/gnome: also allow /etc/xdg/mimeapps.list
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
[2.11+2.12] Backport tunables/share to 2.11 and 2.12 branch
See merge request apparmor/apparmor!446
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6784de4ba1)
99e2d38c Backport tunables/share to 2.11 and 2.12 branch
Fix two test failures in the 2.11 branch:
utils: fixup test-aa.py tests that fail due to usr-merge
drop owner restriction from backported libapparmor test_multi profile (not supported in 2.11)
See the individual commit for details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/437
Acked-by: John Johansen <john.johansen@canonical.com>
2.11 doesn't support adding the 'owner' restriction when parsing a
logfile. When MR 402 was backported (7ce6ee2a19),
this introduced a test failure.
This commit drops the owner restriction from libapparmor
unbalanced_parenthesis.profile. While this is technically wrong, it's
the expected result in the 2.11 branch.
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c284)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com> for 2.10..master
(cherry picked from commit db1f391844)
8f74ac02 Fix crash on unbalanced parenthesis in filename
[2.10..2.13] Add for Certbot on openSUSE Leap
See merge request apparmor/apparmor!398
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
(cherry picked from commit 14a11e67a5)
8b766451 Add for Certbot on openSUSE Leap
