Using /usr/{bin,sbin}/dbsmasq as both the profile name and attachment break compatibility with the peer=/usr/sbin/dnsmasq rule, in the libvirtd profile.
Instead specify the profile has the old name of /usr/sbin/dnsmasq and specify the attachment separately. This looks funny but it avoids breaking libvirtd and still provides the broader attachment need by distros that have merged sbin into bin.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
I propose this patch for 2.12 and 2.13. (Older versions didn't get the alternation, master has a profile name added.)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/346
Signed-off-by: John Johansen <john.johansen@canonical.com>
Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in
the libvirtd profile, practise shows that we were wrong.
This patch adds a tricky workaround so that the profile name doesn't
change, but the profile will attach even on distributions with merged
bin and sbin. (Credits for this crazy idea go to John ;-)
It also re-adds the libvirtd peer name /usr/sbin/libvirtd to avoid
breaking libvirtd.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
and the discussion in https://gitlab.com/apparmor/apparmor/merge_requests/346
tunables/share: fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable
See merge request apparmor/apparmor!344
(cherry picked from commit 2ed3763a2f)
cdeb6185 tunables/share: fix buggy syntax that broke the ~/.local/share part of the...
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from commit cb43e57d27)
Conflicts:
parser/parser_main.c
Reason:
commit 48a32b78b1 not backported
misc dovecot fixes (take #2)
See merge request apparmor/apparmor!336
Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10
(cherry picked from commit e68beb988a)
a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)
(cherry picked from commit b4ab8476e4)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/merge_requests/331
Bug-Debian: https://bugs.debian.org/920669
Relevant documentation: http://www.alsa-project.org/main/index.php/Asoundrc
We already grant read access to the corresponding per-user configuration file
(~/.asoundrc) so it makes sense to also grant access to the system-wide one.
(cherry picked from commit 2d72795f65)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only
has a symlink to it in /etc
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b0bacba9db)
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
(cherry picked from commit 03ea5b82b7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the mysqld to what I use on my servers nowadays.
Note: my profile also has capability sys_resource,, but I'm not sure
why I had to add this and therefore didn't include it in this merge
request.
Speaking about "why I had added $whatever" - these changes were
collected over the last years and of course ;-) I don't remember any
details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/310
(cherry picked from commit 0199edf8e7)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.10..2.13] Backport updated font paths
Update fonts for Debian and openSUSE
- Allow to read conf-avail dir itself.
- Add various openSUSE-specific font config directories.
See merge request !96 (merged) for details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/309
(cherry picked from commit 7bd3029f)
Update fonts for Debian and openSUSE
See merge request apparmor/apparmor!96
(cherry picked from commit 7bd3029f25)
b902d250 Update fonts for Debian and openSUSE
dnsmasq: allow peer=libvirtd to support named profile
See merge request apparmor/apparmor!304
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 5d384d9625)
20fe099c dnsmasq: allow peer=libvirtd to support named profile
New abstraction: lsb_release (sub-profile).
See merge request apparmor/apparmor!154
(cherry picked from commit 47e38944f3)
f7351405 New profile: lsb_release (no attachment path)
99e45b59 lsb_release: added permissions needed by openSUSE implementation.
parser/apparmor.systemd: fix minor issues detected by shellcheck
See merge request apparmor/apparmor!293
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit a772ee0f8b)
b3937d19 parser/apparmor.systemd: fix minor issues detected by shellcheck
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 1f53de174d)
1306f9a6 abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
c5a89d5d abstractions/ssl_{certs,keys}: sort the alternation for dehydrated and drop...
04b2842e abstractions/ssl_{certs,keys}: allow reading ocsp.der maintained by dehydrated for OCSP stapling
[2.12+2.13] revert naming the dnsmasq profile
Changing to "profile dnsmasq /..." broke the peer=/usr/sbin/dnsmasq in the libvirtd profile. Revert adding the name to avoid breaking the libvirtd profile in stable branches.
See also https://bugzilla.opensuse.org/show_bug.cgi?id=1118952 which is a request to update the libvirtd profile to allow both peer=dnsmasq and peer=/usr/sbin/dnsmasq
I propose this revert for 2.12 and 2.13 (older branches didn't get the named profile)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/290
Acked-by: John Johansen <john.johansen@canonical.com>
Changing to "profile dnsmasq /..." broke the peer=/usr/sbin/dnsmasq in
the libvirtd profile. Revert adding the name to avoid breaking the
libvirtd profile in stable branches.
See also https://bugzilla.opensuse.org/show_bug.cgi?id=1118952
which is a request to update the libvirtd profile to allow both
peer=dnsmasq and peer=/usr/sbin/dnsmasq
This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
(cherry picked from commit 2202a8a267)
Signed-off-by: John Johansen <john.johansen@canonical.com>
or: get rc.apparmor.functions in sync with the tools and libapparmor.
This was "accidently" reported by Ralph on the opensuse-support
mailinglist.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/282
(cherry picked from commit 228b92ce5a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.12+2.13] Replace "existing_profiles" & fix minitools for named profiles
(This is the 2.13 version of !249 (merged) which had a few merge conflicts in the 2.13 branch, and needs a little change (last commit) on top)
This patchset introduces the ProfileList class which replaces "existing_profiles" in aa.py and fixes some bugs in aa-complain and the other minitools:
* aa-complain etc. never found profiles that have a profile name (the attachment wasn't checked)
* even if the profile name was given as parameter to aa-complain, it first did "which $parameter" so it never matched on named profiles
* profile names with alternations (without attachment specification) also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92 (search for "As usual" ;-)
See the individual commit messages for details.
All changes survived my tests (both manually and unittests), but as always when doing bigger changes to aa.py, more manual testing is always welcome ;-)
I propose this patch for 2.12 and 2.13.
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
PR: PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
Signed-off-by: Petr Vorel <pvorel@suse.cz>
(cherry picked from commit 3ef8df6ac0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 0a666b8e48)
cb468786 Add /etc/letsencrypt stuff to ssl_keys/ssl_certs abstraction
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f1839 the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
(cherry picked from commit 8b4e76a7d5)
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
(cherry picked from commit 4efff35bf8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In the 2.13 branch (and older), 'options' is not always a dict, but can
also be None or an empty string.
Adjust the if condition in serialize_profile() so that "View changes
between clean profiles" doesn't error out.
Technical stuff first:
Replace existing_profiles (a dict with the filenames for both active and
inactive profiles) with active_profiles and extra_profiles which are
ProfileList()s and store the active profiles and those in the extra
directory separately. Thanks to ProfileList, now also the relation
between attachments and filenames is easily available.
Also replace all usage of existing_profiles with active_profiles and
extra_profiles, and adjust it to the ProfileList syntax everywhere.
With this change, several bugs in aa-complain and the other minitools
get fixed:
- aa-complain etc. never found profiles that have a profile name
(the attachment wasn't checked)
- even if the profile name was given as parameter to aa-complain, it
first did "which $parameter" so it never matched on named profiles
- profile names with alternations (without attachment specification)
also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
(search for "As usual" ;-)
Just for completeness - the matching still doesn't honor/expand
variables in the profile name.
(cherry picked from commit 4d722f1839)
ProfileList is meant to store the list of profiles (both name and
attachment) and in which files they live.
Also add unittests to make sure everything works as expected.
(cherry picked from commit 789c4658e2)
parse_profile_data() returns the parsed profiles, but writes to
existing_profiles directly.
read_profiles() calls parse_profile_data() and already handles adding
the parsed profiles to aa, original_aa or extras, which means updating
existing_profiles there is a much better place.
This commit also includes a hidden change: Previously, when parsing
include files, they were also added to existing_profiles. This is
superfluous, only real profiles need to be stored there.
(cherry picked from commit 8809218ac8)
Split get_profile_filename() into
- get_profile_filename_from_profile_name() (parameter: a profile name)
- get_profile_filename_from_attachment() (parameter: an attachment)
Currently both functions call get_profile_filename_orig() (formerly
get_profile_filename()) so the behaviour doesn't change yet.
The most important part of this commit is changing all
get_profile_filename() calls to use one of the new functions to make
clear if they specify a profile or an attachment/executable as
parameter.
As promised, the is_attachment parameter starts to get used in this
patch ;-)
Note: The get_new parameter (which I'll explain in the patch actually
using it) is set to True in all calls to the new functions.
The long term plan is to get rid of it in most cases (hence defaulting
to False), but that will need more testing.
(cherry picked from commit ec741424f8)
The minitools call write_profile(), write_profile_feedback_ui() and
serialize_profile() with the _attachment_ as parameter.
However, aa-logprof etc. call them with the _profile name_ as parameter.
This patch adds an is_attachment parameter to write_profile() and
write_profile_feedback_ui(). It also passes it through to
serialize_profile() via the options parameter.
If is_attachment is True, the parameter will be handled as attachment,
otherwise it is expected to be a profile name.
tools.py gets changed to set is_attachment to True when calling the
functions listed above to make clear that the parameter is an attachment.
Note: This patch only adds the is_attachment parameter/option, but
doesn't change any behaviour. That will happen in the next patch.
(cherry picked from commit bc783372b8)
[2.12+2.13] use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!267
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
... which is unused since the last commit.
Note: unlike 0eb12a8cbd, this commit does
_not_ delete several write_* function that were only used by this
function. Verifying that these functions are really unused is not worth
the effort in the 2.13 branch.
(cherry picked from commit 0eb12a8cbd -
but only apply partially)
