This function is based on reload_profile() in tools.py, but also
replaces most of reload_base() in aa.py.
For bonus points, we get rid of shell=True when calling apparmor_parser.
Note: This slightly changes the behaviour of aa-logprof and aa-genprof -
if the parser errors out ($? > 0), the output no longer gets hidden.
However, this will not raise an exception, and aa-logprof and aa-genprof
won't abort on parser errors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/855
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
systemd will attempt to force socket buffer size using setsockopt
and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
attempt to set size was clipped by kernel limit.
- Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12 capname="net_admin"'
type entries.
Signed-off-by: Noel Power <noel.power@suse.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/867
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... if a test is expected to fail, but succeeds.
Also fix the copyright year - the test was created in 2022, not in 2013.
This fixes my comments on
bd78b6b292
The original MR !850 was merged into 3.0 and master, therefore I also propose this patch for 3.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/868
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
... if a test is expected to fail, but succeeds.
Also fix the copyright year - the test was created in 2022, not in 2013.
This fixes my comments on
bd78b6b292
systemd will attempt to force socket buffer size using setsockopt
and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
attempt to set size was clipped by kernel limit.
- Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12 capname="net_admin"'
type entries.
Signed-off-by: Noel Power <noel.power@suse.com>
similar to commit 2f9d172c64
we discovered that there was a service outage
when dovecot tried to send a usr1 signal
type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- add pki/blacklist and pki/blocklist
- add /usr/share/pki/ in adddition to /etc/pki/
pki/blocklist was suggested by @darix, the other changes are things I noticed while adding it.
I propose this patch for 3.0 and master. (`abstractions/ssl_certs` on 2.x branches is quite different and needs a manual backport (or more cherry-picks) if you want to backport this MR.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/864
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
similar to commit 2f9d172c64
we discovered that there was a service outage
when dovecot tried to send a usr1 signal
type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"
- add pki/blacklist and pki/blocklist
- add /usr/share/pki/ in adddition to /etc/pki/
pki/blocklist was suggested by @darix, the other changes are things I noticed while adding it.
libapparmor: fix handling of failed symlink traversal, fixed a couple
of directory walk issues that could cause failures. The test included
in this commit was supposed to be included in the previous commit,
but was accidentally dropped. Even worse the make file changes did
make it causing the previous commit to break the CI.
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/85
Signed-off-by: John Johansen <john.johansen@canonical.com>
Ideally we would have a flag or something so the caller could choose
to handle symlinks, or traverse them. But since all callers currently
don't handle symlinks just handle them in the iterator.
Beyond fixing the early termination due to a failed symlink this also
fixes another case of failure in one job cause dir based loads to
terminate early. Which can result in partial loads.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/215
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/850
Signed-off-by: John Johansen <john.johansen@canonical.com>
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Get rid of subprocess with shell=True
Simplify logmark used in syslog.
Instead of using `date | md5sum` and parsing the output to get the actual md5sum (without the stdin filename), use the current unixtime with a `logmark-` prefix.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/856
Acked-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Instead of using `date | md5sum` and parsing the output to get the
actual md5sum (without the stdin filename), use the current unixtime
with a `logmark-` prefix.
This function is based on reload_profile() in tools.py, but also
replaces most of reload_base() in aa.py.
For bonus points, we get rid of shell=True when calling apparmor_parser.
Note: This slightly changes the behaviour of aa-logprof and aa-genprof -
if the parser errors out ($? > 0), the output no longer gets hidden.
However, this will not raise an exception, and aa-logprof and aa-genprof
won't abort on parser errors.
Today, a normal user connected and did something (dunno what) that caused smbd to try to `/usr/share/samba/mdssvc/elasticsearch_mappings.json`:
Samba logs:
```
root@smb:~# journalctl -b0 -u smbd
-- Logs begin at Fri 2022-01-21 14:17:01 UTC, end at Thu 2022-02-17 23:56:02 UTC. --
Feb 17 14:01:20 smb systemd[1]: Starting Samba SMB Daemon...
Feb 17 14:01:26 smb smbd[113]: [2022/02/17 14:01:26.904865, 0] ../../lib/util/become_daemon.c:135(daemon_ready)
Feb 17 14:01:26 smb systemd[1]: Started Samba SMB Daemon.
Feb 17 14:01:26 smb smbd[113]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Feb 17 21:05:35 smb smbd[3084]: pam_unix(samba:session): session opened for user jdoe by (uid=0)
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735182, 0] ../../source3/rpc_server/mdssvc/mdssvc_es.c:92(mdssvc_es_init)
Feb 17 21:05:37 smb smbd[3084]: mdssvc_es_init: Opening mapping file [/usr/share/samba/mdssvc/elasticsearch_mappings.json] failed: unable to open /usr/share/samba/mdssvc/elasticsearch_mappings.json: Permission denied
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735436, 0] ../../source3/rpc_server/mdssvc/mdssvc.c:1490(mdssvc_init)
Feb 17 21:05:37 smb smbd[3084]: mdssvc_init: backend init failed
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735562, 0] ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:152(_mdssvc_open)
Feb 17 21:05:37 smb smbd[3084]: _mdssvc_open: Couldn't create policy handle for partage
Feb 17 23:56:02 smb smbd[3084]: pam_unix(samba:session): session closed for user jdoe
```
Since the 'smb' machine is a container, the Apparmor denial ended up in the host's log:
```
$ journalctl -o cat --grep samba -k --since today | cat
audit: type=1400 audit(1645131937.730:98): apparmor="DENIED" operation="open" namespace="root//lxd-smb_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/share/samba/mdssvc/elasticsearch_mappings.json" pid=35359 comm="smbd" requested_mask="r" denied_mask="r" fsuid=166549 ouid=165536
```
It is the first time it occurs in years of use but it seems legitimate as:
1) this file is installed by the package
2) `git grep -F elasticsearch_mappings` in Debian samba's source shows many hits:
```
$ git grep -F elasticsearch_mappings
debian/samba.install:usr/share/samba/mdssvc/elasticsearch_mappings.json
docs-xml/manpages/mdsearch.1.xml: <filename>/usr/share/samba/mdssvc/elasticsearch_mappings.json</filename>
docs-xml/smbdotconf/misc/elasticsearchmappings.xml: <value type="default">&pathconfig.SAMBA_DATADIR;/elasticsearch_mappings.json</value>
docs/manpages/mdfind.1:/usr/share/samba/mdssvc/elasticsearch_mappings\&.json
docs/manpages/smb.conf.5:\fI\fIelasticsearch:mappings\fR\fR\fI = \fR\fI${prefix}/var/samba/elasticsearch_mappings\&.json\fR\fI \fR
selftest/selftest.pl: elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
selftest/target/Samba3.pm: elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
source3/rpc_server/mdssvc/es_parser_test.c: "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/mdssvc/mdssvc_es.c: "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/wscript_build: 'mdssvc/elasticsearch_mappings.json')
```
While only the `mdssvc` sub-dir could be authorized, the whole dir content seemed OK for read access anyway:
```
root@smb:~# ll /usr/share/samba/
total 53
drwxr-xr-x 5 root root 10 Feb 1 14:08 ./
drwxr-xr-x 67 root root 67 Jun 22 2021 ../
-rwxr-xr-x 1 root root 1163 Jan 31 13:11 addshare.py*
drwxr-xr-x 3 root root 4 Feb 1 14:08 admx/
drwxr-xr-x 2 root root 3 Feb 1 14:08 mdssvc/
-rwxr-xr-x 1 root root 2059 Jan 31 13:11 panic-action*
-rwxr-xr-x 1 root root 1333 Jan 31 13:11 setoption.py*
drwxr-xr-x 5 root root 57 Feb 1 14:08 setup/
-rw-r--r-- 1 root root 8942 Jan 31 13:11 smb.conf
-rwxr-xr-x 1 root root 2682 Jan 31 13:11 update-apparmor-samba-profile*
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/853
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
It appears secret detection is failing if the master branch in the tree a merge request is being made from is too (some unknown value) far behind the branch of the tree it is being merged into.
This is problematic as it is not started practice to refresh the upstream branches of forked trees, but to keep multiple remotes in a single local tree, branch from mainline master, work on the branch and push to the fork for the merge request. This will require contributors to refresh their forked trees in secret-detection fails. Which may be problematic for some contributors, but since we don't know how bad this is going to be, for now re-enable secret detection.
This reverts commit 8b4344c17b.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/854
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately secret detection is failing with
fatal: error in object: unshallow sha1
and blocking merge requests. Unfortuntely all suggested work arounds
from https://gitlab.com/gitlab-org/gitlab/-/issues/351976 failed to
work.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Update apache2-common so that other processes can trace the hats that include this file. The main `usr.sbin.apache2` profile includes `abstractions/base` which has these lines in it, which is why `ss -tnlp` sometimes fails and sometimes works.
See also: [Debian Bug #1003153](https://bugs.debian.org/1003153) for more details about how this occurs.
Fixes: https://bugs.debian.org/1003153
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/852
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Libapparmor was fixed for lto builds on commit 7cde91f5 but
the parser was also failing due to the same reasons when lto
was enabled.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/214
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
As shellcheck taught me
today (https://github.com/koalaman/shellcheck/wiki/SC2015),
"A && B || C is not if-then-else. C may run when A is true".
It does not matter here in practice, because worst case we would run "true" once
too many, but still.
In this case it does not matter, we're merely testing if we can actually
read from that file, but let's make this robust (and shellcheck happy)
for future's sake.
Reference: https://www.shellcheck.net/wiki/SC2162
In 73e124d4fb I've upstreamed the `is_container_with_internal_policy()` function, but so far it was not used anywhere upstream. This is the missing bit.
I could trace the history of that patch back to 2012 (2.7.102-0ubuntu3):
* debian/apparmor.init: do nothing in a container. This can be
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
Context: I lack both knowledge and motivation to keep maintaining this as part of the Debian delta. I'd rather see upstream, and in particular folks more knowledgeable than me about LXC/LXD, or with external motivation factors to work on this part of the stack, take care of it.
Note: Debian has similar code in its [sysvinit script](https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/master/debian/apparmor.init). I'm not touching that one.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/840
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This MR depends on !843, mostly for convenience and to avoid having to rework it once !843 is merged. If this turns out to be a blocker, I can rebase it `--onto` master.
It's based on the draft from !584 and !716, but on top of copying'n'pasting the examples from the GitLab documentation, which was necessary but not sufficient, in this MR I tried my best to make these features work in our context: it actually passes CI, it does not clutter the CI UI with jobs that are not applicable here, and it yields a manageable amount of output (as opposed to hundreds of "OMG you're using format strings", that I don't think any of us is going to triage one by one any time soon).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/844
Acked-by: Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This makes the pipeline run time about 30% shorter and, perhaps more importantly, this gives us more direct access to test failures: they are not hidden in the middle of the huge `test-all` log anymore.
As a bonus, this gives us much faster feedback for tests with a short duration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/843
Acked-by: Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This script is used at least by LXC upstream and MySQL in Debian:
https://codesearch.debian.net/search?q=%2Flib%2Fapparmor%2Fprofile-load
Presumably it could be useful elsewhere if it was more readily available.
Similarly to !840, this is another user of the `is_container_with_internal_policy()` function. I'd like all the callers of this function to live in harmony under the same roof, upstream.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/841
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This allows distributions to start aa-notify automatically, should they wish so, by installing that file in a suitable location, such as `/etc/xdg/autostart`.
This file was introduced in Ubuntu 2.8.95~2430-0ubuntu3 package in 2014, replacing the `/etc/X11/Xsession.d` snippet that Ubuntu had added in 2010.
I'd like to stop having to care about this file as part of the Debian delta and to enable greater collaboration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/839
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
libtool generates horrible shell code, you don't want to see the
shellcheck results for it ;-)
This is only relevant for local testing (not in CI) because these files
don't exist in git and therefore don't exist when the shellcheck CI job
runs.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/847
Acked-by: Approved-by: intrigeri <intrigeri@boum.org>
Merged-by: Christian Boltz <apparmor@cboltz.de>
