As a step in preparing for out of band transitions and double walk
transitions rework the backend from using a char index to a class
with an larger range than char.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add nnp tests around the unconfined exception.
An unconfined task is allowed changing to a profile under nnp restrictions. However this has implications when the task has stacked confinement.
profile//&unconfined
profile//&:ns:unconfined
...
will not be caught by the unconfined test. Instead the unconfined exception needs to be tested as part of the subset test. Add tests to ensure we can catch regressions around a stacked unconfined profile.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/424
Signed-off-by: John Johansen <john.johansen@canonical.com>
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
Fix a Python 3.8 autoconf check
See merge request apparmor/apparmor!430
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
Acked-by: Steve Beattie <steve@nxnw.org> for master and 2.13
Update the language description to provide some over arching
principles, such as the policy is declarative.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
README: add PYFLAKES=/usr/bin/pyflakes3 env variable
See merge request apparmor/apparmor!429
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
pyflakes 2.x nowadays complains about
aa-genprof:60: undefined name 'PermissionError'
We already deprecated py2 support in 2.11 (and obviously nobody tests
with py2 anymore), therefore recommending pyflakes3 makes sense.
Maybe we should also change our Makefiles to use py3 and pyflakes3 by
default, but that will be another (master-only) commit.
'localinclude' is/was meant to have 'local/*' includes separate, but
it's write-only and never used, which makes it useless.
Additionally, it causes a crash in the aa-* tools which gets fixed by
removing all the 'localinclude'-related code (what a big word for two
lines ;-)
References: https://bugs.launchpad.net/apparmor/+bug/1848227
The unconfined exception needs to be applied even when a stack is
being used. When a stack is in use it prevents the unconfined
test from being used and instead it must be done as part of the
subset test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Permit the use of /etc/krb5.conf.d configuration snippets
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Originally submitted as https://build.opensuse.org/request/show/733763
drop deprecated perl code
* drop repair_obsolete_profiles (updated profiles for abstraction renames pre-2006)
* drop ancient perl aa-* tools and their modules (rewritten to python in 2.9)
* drop rc.aaeventd.{redhat,suse} initscripts (aaeventd was dropped long ago, therefore we don't need to keep its initscripts)
See merge request apparmor/apparmor!423
Acked-by: John Johansen <john.johansen@canonical.com>
Applications running under Xwayland in a GNOME+Wayland session need read access to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could argue that it should live in abstractions/wayland instead, but Jamie argued that it should be in the X abstraction because Xwayland is a X server.
MR: https://gitlab.com/apparmor/apparmor/merge_requests/419
Bug-Debian: https://bugs.debian.org/935058
Acked-by: John Johansen <john.johansen@canonical.com>
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
Bug-Debian: https://bugs.debian.org/935058
Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.
With the effort to remove perl, it makes no sense to keep the depracted
perl code around for new releases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa-status crashed if a profile name contains an opening parenthesis
because the regex enforces (simplified) '^[^(]* \(.*\)' when reading
/sys/kernel/security/apparmor/profiles
This obviously doesn't match if a profile name contains '(' which is
rare and strange, but still allowed, and the match result "None" then
crashes aa-status.
Adjust the regex to allow all chars instead of all except '(' to handle
these corner cases.
Note that '(enforce)' and '(complain)' still get read correctly because
the regex ends with '\((\w+)\)$' and therefore enforces matching
"something inside parenthesis at the end of the line".
This bug exists since aa-status was rewritten into python, and even
existed in the perl version before. However, in the perl version, the
regex matching was protected with an if so profile names with '(' were
skipped and hidden from the aa-status output.
Fixes: https://gitlab.com/apparmor/apparmor/issues/51
When a filesystem is mounted with the option *user*, the file selection
dialogue, e.g. in *Evince*, triggers an access of */run/mount/utab*, which
comes from *libmount* and should be allowed.
Winbind requires access to /var/cache/samba/msg.lock/*.
Move msg.lock/ to abstractions/samba.
On Arch Linux Winbind's pid is set to /run/winbindd.pid.
Signed-off-by: nl6720 <nl6720@gmail.com>
As discussed in https://gitlab.com/apparmor/apparmor/merge_requests/395
RE_LOG_ALL should be more broad so that it doesn't accidently
overlook/ignore valid log events.
Instead of adding more and more known log formats to logparser.py,
simplify the regex to do only a basic check.
If we really hand over a line to libapparmor that isn't an AppArmor log
event, worst thing that can happen is that we waste a few milliseconds
for handing over that line to libapparmor, and get AA_RECORD_INVALID as a
result.
logparser.py: don't error out on exec events without target
See merge request apparmor/apparmor!405
Acked-by: John Johansen <john.johansen@canonical.com>
tests: Allow aa_policy_cache.c to build against old libapparmors
See merge request apparmor/apparmor!407
Acked-by: John Johansen <john.johansen@canonical.com>
Improve readability by being explicit about the value to use when the
conditional evaluates to true.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: John Johansen <john.johansen@canonical.com>
Commit ad81ea0e67 ("tests: Add option to dump policy cache dir with
the libapparmor wrapper") modified aa_policy_cache.c to call
aa_policy_cache_dir_path_preview(). That added a hard dependency on
libapparmor >= 2.13, which is the first version to add
policy_cache_dir_path_preview() to libapparmor. The dependency makes it
impossible to build and run the upstream regression tests against an
installed libapparmor older than 2.13 due to aa_policy_cache.c failing
to build.
Add a compatible aa_policy_cache_dir_path_preview() when building
aa_policy_cache.c against a libapparmor older than 2.13 and newer than
or equal to 2.10.
Fixes: ad81ea0e67 ("tests: Add option to dump policy cache dir with the libapparmor wrapper")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Correct the long option used to print the cache directory.
Fixes: e9d9395f91 ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Test the profile transition limits imposed by NO_NEW_PRIVS to ensure
that behavior doesn't unexpectedly change.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
commit 7297e2f6a8 assumed that exec events
always have a "target=...", but this is only true for events in complain
mode. In enforce mode, the log line doesn't include "target=...".
This commits sets an empty target instead of erroring out on every exec
event in enforce mode.
Also adjust ask_exec() in aa.py to only update
hashlog[aamode][target_profile]['final_name'] if target_profile is set
(hashlog[aamode][''] doesn't exist and trying to write to it would error
out)
- in complain mode, exec events include target=...
- in enforce mode, the log message doesn't include target=...
Note that the utils tests skip exec events (they'd be interactive),
therefore exec*.profile doesn't contain an exec rule.
