If `apparmor_parser -N` (in `profiles_names_list()`) fails,
`aa-remove-unknown` possibly gets an incomplete list of profiles in
`/etc/apparmor.d/` and therefore might remove more profiles than it
should.
Replace the `profiles_names_list()` call with a direct `apparmor_parser`
call, and abort aa-remove-unknown if it exits with $? != 0
Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```
After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```
And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
Also drop the now-unused profiles_names_list() from rc.apparmor.functions - the only user was aa-remove-unknown.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/836
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.
Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0
Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```
After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```
And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
Library versioning requires we keep these changes in sync. Since the
3.0.4 release bumped revision we need to do it here as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
... which is used by aa-remove-unknown.
apparmor_parser can read a whole directory, therefore we don't need to
do the directory listing, excluding *.rpmnew etc. ourself.
Related to https://gitlab.com/apparmor/apparmor/-/issues/148
... which became superfluous after dropping use of xargs as fallback
when loading profiles in 0b8ea047e8
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/833
Acked-by: Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Currently libapparmor fails to build when lto is used because it uses
the asm directive to provide different version of some symbols.
Unfortunately gcc does not recognize this and the symbols defined by
asm are lost and optimized out by lto and then the link fails.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/214
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/831
Signed-off-by: John Johansen <john.johansen@canonical.com>
The AppArmor systemd scripts correctly detect the Windows Subsystem for Linux as a container, since all Linux distros executing under WSL 2 are containerized; however, unlike the majority of containers (since there is no accessible host distribution above them trying to set AppArmor policies that might interfere), AppArmor itself functions without problems in the WSL environment.
This patch adds WSL detection to the is_container_with_internal_policy function, allowing AppArmor to be started and operate normally in a WSL-plus-systemd environment.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/812
Acked-by: John Johansen <john@jjmx.net>
LP:1377338 <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377338>
has been fixed for quite awhile and we don't need to call xargs as
a fallback when loading policy fails.
In addition we really don't want to be doing this because we want to
be moving to atomic profile loads where if one profile fails the
whole load fails. This is a step in that direction.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Permission denied when Evince tries to use Chrome to open link.
In config is missing the bin: `/opt/google/chrome/crashpad_handler`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/830
Acked-by: John Johansen <john@jjmx.net>
This test uses unix_fd_server to open a file and pass
its file descriptor to the attach_disconnected tests, which
then mounts, pivots root and then tries to open the file.
Since the server execs the client, this MR also inverts the order
of the parameters to allow the server to forward the client's args
along with the unix_socket path.
I'm also refactoring out the unix_fd_client logic into unix_fd_common,
so we can use this implementation when creating other clients, which is the case
for the test binary attach_disconnected
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: Approved-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
This test uses unix_fd_server to open a file and pass
its file descriptor to the attach_disconnected tests, which
then mounts, pivots root and then tries to open the file.
Since the server execs the client, this commit also inverts the order
of the parameters to allow the server to forward the client's args
along with the unix_socket path.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: John Johansen <john.johansen@canonical.com>
The code from unix_fd_client can be used by other clients which
will receive the fd of a file using SCM rights.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: John Johansen <john.johansen@canonical.com>
The file query test on query_label.sh fails on kernels
before 4.4 because of the lack of support. Since there
is no feature file to examine for this feature, we
needed to check for the kernel version. Refer to [qa-regression-testing](https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py#n1653).
As discussed on !767, we might need a more complicated test than
only checking for the kernel version, since this feature might
be available in out-of-tree Ubuntu kernels such as saucy (3.13).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/769
Acked-by: John Johansen <john@jjmx.net>
Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:
audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.
Bug: https://launchpad.net/bugs/1794064
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/806
Acked-by: John Johansen <john@jjmx.net>
GTK/QT apps need to read some config files in order to properly render their windows in a graphical session. There are some `qt5` abstractions already, but it looks like the `gtk` abstraction is missing.
The `*gtk*` rules are basically the location of the GTK config files I found on the internet when I was trying to compose this abstraction. Some of the paths are missing in Debian, but different distros can use (or were using) them. Since GTK apps use themes, the abstraction also include the whole `/usr/share/themes/` , `@{HOME}/.themes/` and `@{HOME}/.local/share/themes/` dirs. I'm not sure whether this should be tightened. The `.Xauthority` file is generally needed when you deal with GUI apps under Xserver. Also since all GUI apps redirect output/error to the `~/.xsession-errors` file, this file also was included here.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/65
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/168
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/825
Acked-by: John Johansen <john.johansen@canonical.com>
The Hack used to build the libapparmor swig interface for ruby fails
with ruby 3.1. Instead of trying to do black magic in ruby to rename
the generated Makefile to Makefile.new, just save off the Makefile
and restore after ruby's setup has been called.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/206
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
busybox xargs does not have -d nor long --max-procs options, instead use -0 (and separate arguments with printf "%s\\0") and -P which are more portable. While we are here, also add -r (--no-run-if-empty, which also has no long equivalent for busybox) as we likely don't want to run anything if no profile were found
This is useful for alpine systems where findutils is not installed by default, but busybox xargs is available.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/828
Acked-by: John Johansen <john.johansen@canoical.com>
busybox xargs does not have -d nor long --max-procs options,
instead use -0 (and separate arguments with printf "%s\0")
and -P which are more portable.
While we are here, also add -r (--no-run-if-empty, which also has
no long equivalent for busybox) as we likely don't want to run
anything if no profile were found
This is useful for alpine systems where findutils is not installed by
default, but busybox xargs is available.
This fixes a crash when a profile name contains a \n character which
breaks profile name parsing. The fix is minimal in that it ignores
the bad profile name and continues processing.
Ideally this name would not exist and is indicative of a bug in the kernel.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/211
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/824
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
profiles/apparmor.d: Fix file_mmap violation for bsc#1192336.
See merge request apparmor/apparmor!819
Acked-by: Christian Boltz <apparmor@cboltz.de> for 3.0 and master
abstractions/python: merge /usr/ and /usr/local/ rules, and add some new rules
See merge request apparmor/apparmor!814
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
If there's still some code left that tries to access an uninitialized
item in 'aa' (reading or writing), this will result in a very visible
crash instead of silently seeming to work.
Testing shows that we seem to correctly initialize each item in 'aa' (no
crashes), therefore let's hope the best ;-)
- allow reading *.so.*
- allow directory listings in .../site-packages/
- allow reading various metadata files
These additions are based on denials seen on openSUSE Leap 15.3 with
python 3.9.
This keeps all existing permissions, and adds a few that were out of
sync:
- /usr/lib*/python3.*/lib-dynload/*.so missed 3.1[0-9]
- /usr/lib/python3/... was missing, only /usr/local/python3/ was allowed
Both aarch64 and s390x have a bigger wtmp record size (16 bytes more than x86_64, 400 bytes total).
The byte position of the timestamp is also different on each architecture. To make things even more interesting, s390x is big endian.
Note that this MR includes more things, like
* moving `get_last_login_timestamp()` to the new `apparmor/notify.py` file
* add unit tests for it
* add wtmp example files from various architectures, including a hand-edited one claiming to be from 1999
* fixing a bug in `get_last_login_timestamp()` that unpacked `type` from too many bytes - which accidently worked on x86_64
* detecting from which architecture the wtmp file comes (luckily the timestamps are located at different locations)
See the individual commits for details.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1181155
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/809
Acked-by: John Johansen <john.johansen@canonical.com>
