Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
(cherry picked from commit 01f41fbff8)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/139
write_pair() ignored the 'tail' parameter, which resulted in writing
invalid alias rules (without the trailing comma).
Also add an alias to test/cleanprof.* to ensure it doesn't break again.
(cherry picked from commit ae4ab62855)
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/119
Writing a "link subset" rule missed a space, which resulted in something
like
link subset/foo -> /bar,
Also add a test rule to tests/cleanprof.* to ensure this doesn't break
again.
[Fixed up conflicts in cleanpprof_test.in and .out -- @smb]
(cherry picked from commit 514535608f)
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/117
The mount regression test passes MS_MANDLOCK to the mount(2) syscall in
the test program. When the kernel is configured without
CONFIG_MANDATORY_FILE_LOCKING set, attempting to mount a filesystem with
this option always fails with EPERM. To fix, convert the test program to
use the MS_NODEV option instead.
(cherry picked from commit 49ba6af2bf)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://bugs.launchpad.net/apparmor/+bug/1765025
PR: https://gitlab.com/apparmor/apparmor/merge_requests/109
Dovecot profile updates
See merge request apparmor/apparmor!90
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6b78daf25b)
36bdd6ea add dovecot/stats profile, and allow dovecot to run it
26a8b722 allow dovecot/auth to write /run/dovecot/old-stats-user
Fix typo in apparmor_parser.pod
See merge request apparmor/apparmor!85
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit 47da50b7e6)
50ee50f9 Fix typo in apparmor_parser.pod
Fix $(PWD) when using "make -C profiles"
See merge request apparmor/apparmor!80
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 14096cb3a7)
20893382 Fix $(PWD) when using "make -C profiles"
ignore .git in is_skippable_dir()
See merge request apparmor/apparmor!77
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 3b5683be29)
f9eb3fea ignore .git in is_skippable_dir()
set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
See merge request apparmor/apparmor!53
Acked-by: intrigeri <intrigeri@debian.org> for 2.9..master
(cherry picked from commit 0eefeeb0e7)
cb5cdf26 set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
Allow to create .nv directory
See merge request apparmor/apparmor!69
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit 21b0d14ea4)
11e7dab9 Allow to create .nv directory
abstractions/X: add another location for .Xauthority
See merge request apparmor/apparmor!39
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bcfb735b9a)
bb96e38a abstractions/X: add another location for .Xauthority
Fix local pulseaudio config file access
See merge request apparmor/apparmor!38
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
(cherry picked from commit 6713f9d94a)
f73627cb Fix local pulseaudio config file access
Fix signal sending for usr.sbin.dovecot
See merge request apparmor/apparmor!36
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
(cherry picked from commit 6db30f8faf)
9f24650e Fix signal sending for usr.sbin.dovecot
Exit rather than returning from shell snippets in Makefiles. It is
reported that returning causes the following error message with bash:
/bin/sh: line 4: return: can only `return' from a function or sourced script
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
Don't print a literal '\n' in aa-remove-unknown help
See merge request apparmor/apparmor!21
Acked-by: Tyler Hicks tyhicks@canonical.com for 2.9..trunk
(cherry picked from commit 3d40bc6f23)
4d4228d1 Don't print a literal '\n' in aa-remove-unknown help
allow dac_read_search and dac_override for dovecot/auth
See merge request apparmor/apparmor!14
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
(cherry picked from commit 42bd81df01)
6f6b3c57 allow dac_read_search and dac_override for dovecot/auth
Allow to read pulseaudio config subdirectories
See merge request apparmor/apparmor!12
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9, 2.10, 2.11 and trunk
(cherry picked from commit 4b8b08562a)
9658471d Allow to read pulseaudio config subdirectories
Merge from trunk commit 3726
The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
with unix rules we output a downgraded rule compatible with network rules
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules
however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.
cherry-pick: lp:apparmor r3700
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: timeout
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900
------------------------------------------------------------
revno: 3690 [merge]
committer: Steve Beattie <sbeattie@ubuntu.com>
branch nick: apparmor
timestamp: Wed 2017-08-09 08:57:36 -0700
message:
traceroute profile: support TCP SYN for probes, quite net_admin request
Merge from Vincas Dargis, approved by intrigeri.
fix traceroute denies in tcp mode
Acked-by: Steve Beattie <steve@nxnw.org>
------------------------------------------------------------
Backport to 2.10 and 2.9 branch
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
2.10 branch r3387 and 2.9 branch r3052 (Ignore change_hat events
with error=-1 and "unconfined can not change_hat") accidently added
unconfined-change_hat.profile to the test_multi directory.
2.9 and 2.10 don't support the test_multi *.profile files and error out
in the tests saying "Found unknown file unconfined-change_hat.profile",
therefore delete this file.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This option exists in several aa-* tools since 2.9, but isn't mentioned
in the manpage.
Also drop some trailing whitespace in the manpages.
Acked-by: John Johansen <john.johansen@canonical.com>
for 2.9, 2.10, 2.11 and trunk.
dovecot-lda needs
- the attach_disconnected flags
- read access to /usr/share/dovecot/protocols.d/
- rw for /run/dovecot/auth-userdb
References: https://bugs.launchpad.net/bugs/1650827
Acked-by: Steve Beattie <steve@nxnw.org> for 2.9, 2.10 and trunk.
https://launchpad.net/bugs/1668892
This patch creates a new utility, with the code previously used in the
init script 'restart' action, that removes unknown profiles which are
not found in /etc/apparmor.d/. The functionality was removed from the
common init script code in the fix for CVE-2017-6507.
The new utility prints a message containing the name of each unknown
profile before the profiles are removed. It also supports a dry run mode
so that an administrator can check which profiles will be removed before
unloading any unknown profiles.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
CVE-2017-6507
https://launchpad.net/bugs/1668892
The common AppArmor 'restart' code used by some init scripts, upstart
jobs, and/or systemd units contained functionality that is no longer
appropriate to retain. Any profiles not found /etc/apparmor.d/ were
assumed to be obsolete and were unloaded. That behavior became
problematic now that there's a growing number of projects that maintain
their own internal set of AppArmor profiles outside of /etc/apparmor.d/.
It resulted in the AppArmor 'restart' code leaving some important
processes running unconfined. A couple examples are profiles managed by
LXD and Docker.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
That's much better than crashing aa-logprof ;-) (use the log line in
the added testcase if you want to see the crash)
Reported by pfak on IRC.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Starting with python 3.6, the re.LOCALE flag can only be used with byte
patterns, and errors out if used with str. This patch removes the flag
in get_translated_hotkey().
References: https://bugs.launchpad.net/apparmor/+bug/1661766
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
merge from trunk commit revision 3630
In the environ regression test, when the exec() of the child process
fails, we don't report FAIL to stdout, so the regression tests consider
it an error rather than a failure and abort, short-circuiting the
test script.
This commit fixes this by emitting the FAIL message when the result
from the wait() syscall indicates the child process did not succeed.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
