Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com> for 2.10..master
(cherry picked from commit db1f391844)
8f74ac02 Fix crash on unbalanced parenthesis in filename
[2.11..2.13] handle_children: Fix denying of adding a hat
See merge request apparmor/apparmor!378
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d2e83231f0)
87f91864 handle_children: Fix denying of adding a hat
This is a backport of !239
commit 2209e09aef
Author: nl6720 <nl6720@gmail.com>
aa-notify man page: update user's configuration file path
Signed-off-by: nl6720 <nl6720@gmail.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/243
(backported from commit 2209e09aef)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 93445ca02d)
bc492533 Fix aa-mergeprof crash caused by accidentially initialzed hat
2.11: Add basic support for abi rules to the tools
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does not run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e04 / !202 (merged) to
2.11 (with some adjustments because that commit didn't appy cleanly)
I propose this patch for 2.10 and 2.11.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/223
Acked-by: John Johansen <john.johansen@canonical.com>
2.11/2.10: is_skippable_dir(): add 'cache.d' to exclude list
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8)
While this isn't strictly needed for 2.10 or 2.11 userspace, it makes testing these branches easier ;-)
I propose this cherry-pick for 2.11 (= this merge request) and 2.10.
https://gitlab.com/apparmor/apparmor/merge_requests/222
Acked-by: John Johansen <john.johansen@canonical.com>
make 2.11 utils tests green
- switch minitools_test.py to a profile without alternation
- remove non-failing tests from unknown_line exception
- exclude several #include "does not exist" examples
PR: https://gitlab.com/apparmor/apparmor/merge_requests/220
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 1fb9acc59e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e0451 / !202 to
2.11 (with some adjustments because that commit didn't appy cleanly)
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8c6)
bare_include_tests/ok_30.sd and ok_31.sd don't fail with the 2.11 tools.
Remove them from the unknown_line exception.
(Interestingly newer branches fail on these tests, but I didn't check why.)
These tests were added with the cherry-picked commit 4184b0c363
They are expected to fail, but don't fail with the 2.11 tools because
the regex only matches #include <...> which means #include "..."
is considered to be a comment.
Remove accidently added text from utils/po/Makefile
See merge request apparmor/apparmor!217
Acked-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit fa82a51523)
15770576 Remove accidently added text from utils/po/Makefile
add zsh to logprof.conf
See merge request apparmor/apparmor!201
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 7e22b0a894)
00871696 add zsh to logprof.conf
The URL redirect ends up at a page in the new wiki that doesn't exist.
We have to link directly to the gitlab URL here since the current URL
redirect doesn't let us use a wiki.apparmor.net URL and still reach the
expected Profiles page.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
When running aa-genprof in a lxd instance, printk_ratelimit is readonly
and writing to it fails. Instead of crashing with a backtrace, only
print a warning.
References: https://bugs.launchpad.net/apparmor/+bug/1785391
(cherry picked from commit 961e69afe5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
use_group is only honored if it is defined.
The "real" permission check is reading the logfile - the group check
in aa-notify is just an annoying additional check, and the default
"admin" only works on Ubuntu (other distributions typically use
"wheel").
This commit comments out use_group in the default config, which allows
everybody to use aa-notify. Permissions for reading the log file are of
course still needed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/82
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1058787
(cherry picked from commit 86ec3dd658)
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit b7a4f37cbb)
8462c39b parse_profile_start(): Error out on nested child profiles
write_pair() ignored the 'tail' parameter, which resulted in writing
invalid alias rules (without the trailing comma).
Also add an alias to test/cleanprof.* to ensure it doesn't break again.
(cherry picked from commit ae4ab62855)
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/119
Writing a "link subset" rule missed a space, which resulted in something
like
link subset/foo -> /bar,
Also add a test rule to tests/cleanprof.* to ensure this doesn't break
again.
(cherry picked from commit 514535608f)
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/117
utils tests: ignore tests for 'include if exists'
See merge request apparmor/apparmor!78
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit e6ef536957)
dc7c7021 utils tests: ignore tests for 'include if exists'
ignore .git in is_skippable_dir()
See merge request apparmor/apparmor!77
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 3b5683be29)
f9eb3fea ignore .git in is_skippable_dir()
Right now, if you have a named profile with regular expressions to
match binaries, the profile will be shown in aa-status under the
"process list", which doesn't make sense. Instead, show the actual
executable name, and if the profile name differs, report it at the
end (or as a separate field in the json output mode).
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
See merge request apparmor/apparmor!53
Acked-by: intrigeri <intrigeri@debian.org> for 2.9..master
(cherry picked from commit 0eefeeb0e7)
cb5cdf26 set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
The tools don't support having multiple rules in one line (they expect
\n after each rule), therefore mark some of the bare_include_tests as
known failures.
(cherry picked from commit 26af640fda)
Signed-off-by: John Johansen <john.johansen@canonical.com>
handle_children(): automatically add m permissions on ix rules
See merge request apparmor/apparmor!22
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b2df42f55b)
7a49f37c handle_children(): automatically add m permissions on ix rules
FileRule: detect that 'a' is covered by 'w'
See merge request apparmor/apparmor!23
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6483c627d2)
1857f07d test-file.py: Document that w doesn't cover a yet
a0d4e246 FileRule: detect that 'a' is covered by 'w'
The test-aa-easyprof.py script relies on the parser to be built so the
check target of the utils/test/Makefile should detect if the parser
exists before running any tests.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
Don't print a literal '\n' in aa-remove-unknown help
See merge request apparmor/apparmor!21
Acked-by: Tyler Hicks tyhicks@canonical.com for 2.9..trunk
(cherry picked from commit 3d40bc6f23)
4d4228d1 Don't print a literal '\n' in aa-remove-unknown help
Let read_inactive_profiles() do nothing when calling it the second time
See merge request apparmor/apparmor!17
(cherry picked from commit 794d1c4a07)
b307e535 Let read_inactive_profiles() do nothing when calling it the second time
After using "view changes", the selection got reset to the first changed
profile. This could mislead the user into saving the wrong profile.
This patch ensures the selection is kept.
Cherry-picked from master 051be5dec0
(+ whitespace adjustments)
Acked-by: Tyler Hicks <tyhicks@canonical.com> for master and 2.11
The last change in save_profiles() sorted() the order in which the
changed profiles get displayed. However, it did not honor the sorting
when displaying changes or saving the selected profile, leading to the
wrong profile displayed or saved.
This patch fixes picking the selected profile, and at the same time
replaces the duplicated code for doing this with a single instance.
Note that the 2.11 branch needs a slightly different patch (different
indentation).
Also note that this regression made it into 2.11.1, so distributions
shipping 2.11.1 should add this patch.
Cherry-picked from master fe1fb7caa3
(+ whitespace adjusted)
Acked-by: Tyler Hicks <tyhicks@canonical.com> for master and 2.11
YaST has two issues in the "save changed profiles" dialog:
- when using "save selected", the list of profiles doesn't get updated.
Update q.options inside the loop to fix this.
- the list of profiles is displayed as "["/usr/bin/foo", true]" instead
of just "/usr/bin/foo". Use changed.keys() instead of changed to fix
this. (text-mode aa-logprof doesn't change, it always displayed
"/usr/bin/foo" and continues to do so.)
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062667 part a)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.
Note that 2.11 needs a slightly different patch (whitespace diff).
'smc' seems to be new in kernel 4.12.
Note that the 2.10 apparmor.d manpage also misses the 'kcm' keyword, so
the patch also adds it there.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11 and 2.10.
get_file_perms() and propose_file_rules() happily collect all file
permissions. This could lead to proposing 'wa' permissions in
aa-logprof, which then errored out because of conflicting permissions.
This patch adds a check to both functions that removes 'a' if 'w' is
present, and extends the tests to check this.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.
Note: Both functions (including this bug) were introduced together with
FileRule, so older releases are not affected.
When creating a new child profile, handle_children() did only copy over
include and path rules. While this was correct in the past, path rules
got changed to FileRule in the meantime and were therefore lost.
(In practise, this means the "$binary mr," rule wasn't added to the new
child profile, causing a "superfluous" question in aa-logprof.)
This patch changes handle_children() to carry over the complete new
child profile instead of only cherry-picking include and path rules.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.11.
Older versions (with path as hasher) are not affected.
This option exists in several aa-* tools since 2.9, but isn't mentioned
in the manpage.
Also drop some trailing whitespace in the manpages.
Acked-by: John Johansen <john.johansen@canonical.com>
for 2.9, 2.10, 2.11 and trunk.
