The tools don't support having multiple rules in one line (they expect
\n after each rule), therefore mark some of the bare_include_tests as
known failures.
(cherry picked from commit 26af640fda)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some of the regression tests are missing conditionals or have the
wrong conditionals so that they fail on current upstream kernels.
Fix this by adding and changing conditionals and requires where
appropriate. With the patches the tests report passing on 4.14 and
4.15 kernels.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time out
(cherry picked from commit 6f1d054468)
This is a minimal patch to add conditional includes to the profile
language.
The syntax for conditional includes is similar to regular includes
except with the addition of "if exists" after "include"
include if exists <foo/bar>
include if exists "foo/bar"
include if exists "/foo/bar"
include if exists foo/bar
Note: The patch is designed to be backportable with minimum
effort. Cleanups and code refactoring are planned for follow up
patches that won't be back ported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 2ea3309942)
includes were not handling WS in path names correctly. Allow WS within
quotes. Eg
include "foo bar"
include <"foo bar">
BugLink: http://bugs.launchpad.net/bugs/1738880
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 8d142809f5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit efd8eedd52)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a minimal patch so that it can be backported to 2.11 and 2.10
which reverts the abort on error failure when the cache can not be
created and write-cache is set.
This is meant as a temporary fix for
https://bugzilla.suse.com/show_bug.cgi?id=1069906https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
where the cache location is being mounted readonly and the cache
creation failure is causing policy to not be loaded. And the
thrown parser error to cause issues for openQA.
Note: A cache failure warning will be reported after the policy load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz apparmor@cboltz.de
(cherry picked from commit 42b68b65fe1861609ffe31e05be02a007d11ca1c)
This patch supports rolling a tarball for a release, as well as doing
'make tag'. Only stuff that's been committed should get incorporated
into the tarball.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.
sys_ptrace is "only" needed for tracing processes that run under a
different uid.
Also add ptrace (read), for systems that support ptrace rules.
For now we only allow quoted absolute paths without spaces in the name
due to:
- 1738877: include rules don't handle files with spaces in the name
- 1738879: include rules don't handle absolute paths without quotes in
some versions of parser
- 1738880: include rules don't handle relative paths in some versions of
the parser
.gitignore additions for libapparmor tests, binutils, and the vim syntax highlighting files
See merge request apparmor/apparmor!43
Acked-by: Christian Boltz <apparmor@cboltz.de>
- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
(seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
IRC some months ago)
- extend available_buttons() to display an "owner permissions on/off"
button if the rule supports it
- extend ask_the_questions() to handle these buttons
- add some tests to test-translations.py to avoid hotkey conflicts with
the newly added buttons
- move the code of set_options_audit_mode() to a new function
set_options_mode() and make set_options_audit_mode() a wrapper for it.
- add set_options_owner_mode() as another wrapper for set_options_mode()
and add code to switch the owner flag to set_options_mode()
- add tests for set_options_owner_mode()
This flag defines if the "Owner permissions on/off" button gets
displayed in aa-logprof.
False by default for all rule types (most of them don't support the
owner conditional). Also false for non-owner FileRule.
True only for FileRule if owner=True.
