pam_apparmor pam module. The default behavior is to use the user's
primary groupname, and to fall back to the DEFAULT hat. You can change
this behavior by appending order=type1[,type2,type3] to the pam_apparmor
session line in the pam config for the application you're applying
pam_apparmor to. The available types are 'user' for username, 'group'
for groupname, and 'default' for DEFAULT. Thus, adding a configuration
entry like:
session optional pam_apparmor.so order=group,default
is equivalent to the default behavior for pam_apparmor.
The parse_option code got a little more complicated than I'd hoped
it would be; I could have just had types by space delimited options to
module, but I thought I'd leave open the possibility of adding additional
options to the module ('debug' immediately comes to mind).
I disabled the short-circuit that occurs if EPERM is returned by
change_hat, as we can't detect that this is because there's no hats or
that the application is entirely undefined; if ECHILD makes it in then
we can re-enable this.
I am less convinced now that pam_apparmor needs to be 'optional' than
'required'; killing the session if none of the change_hats succeeds is
starting to feel like reasonable behavior.
---
changehat/pam_apparmor/Makefile | 11 +
changehat/pam_apparmor/README | 74 +++++++++++++
changehat/pam_apparmor/get_options.c | 157 ++++++++++++++++++++++++++++
changehat/pam_apparmor/pam_apparmor.c | 155 +++++++++++++++++++--------
changehat/pam_apparmor/pam_apparmor.h | 56 +++++++++
changehat/pam_apparmor/pam_apparmor.spec.in | 2
6 files changed, 406 insertions(+), 49 deletions(-)
creates a tarball i(and specfile) similar to 'make tarball' except that
it uses svn export to pull the latest committed version rather than the
currently contents of the tree (as make tarball does). This is to make
pristine checkins to SUSE's autobuild system and the openSUSE
buildservice easier.
It turns out that audit and selinux were modified to slightly change the
behavior of getprocattr.
The changes are:
1. when the audit subsystem calls security_getprocattr it only allows
for a return code of EINVAL
2. when the audit subsystem calls security_getprocattr with the size
paramter set to 0. It expects the returned size to be the size
that would be put in the buffer.
This behavior is undocumented in LSM but the changes showed up in
audit and selinux.
This patch fixes AA so that when 0 is passed it will return the size
that would have been read. This in turn fixes the problem where the
audit system spits out a ton of
error in audit_log_task_context messages
the AA getprocattr handling can still return error messages that are
not EINVAL but these should not happen in the audit log context unless
audit makes an error.
The possible places are:
- audit passes a buffer that is to small - this shouldn't happen since
audit uses the return value from a prob with parameter size == 0
- audit task context is trying to read a /proc/<pid>/attr/current that is
the current tasks context.
This shouldn't happen since the task context is for the current task.
- memory allocation fails
This one will generate the message but the audit code its self will
generate the message if its allocation fails.
of EACCESS when an unconfined process calls changehat. This enables
applications using the changehat api to detect that the application
is not confined so probing for a matching hat can be aborted.
of EACCESS when an unconfined process calls changehat. This enables
applications using the changehat api to detect that the application
is not confined so probing for a matching hat can be aborted.
Also add some history to the changelog in the specfile, clean up some
whitespace issues, eliminate no longer needed bogus LC_MESSAGES dir to
work around SUSE autobuild, seems to have been addressed.
by naming the directory (e.g. #include </etc/apparmor.d/abstractions>).
It will skip over dotfiles and as well as subdirectories. It is intended
to make scripting and packaging easier, as the including profile will
not need to know explicitly all of the names to include.
Long term, rather than hardcode that dotfiles will be skipped, it should
be configurable via /etc/apparmor.d/subdomain what patterns of files
should be skipped; genprof/logprof should also honor this setting. The
code could be reused as I'd like to make the parser just take a directory
on the command line rather than being fed profiles one at a time; again
it would skip files based on these same patterns.
This patch also eliminates some dead code in the include processing, as
well as replaces a couple of undersized fixed-size buffer (PATH_MAX is
4095 on linux, buffer is not overflowable due to use of strncpy/snprintf)
with dynamically allocated ones.
directories). It also disables the longpath test (after locking up
another machine from running it), but adds a 'make alltests' target
which will run all the tests plus that one (and any others defined in
the RISKY_TESTS variable.)
pam_apparmor and here's a patch to address most of them--
* header comment was incorrect
* use pam_get_user() instead of pam_get_item()
* return an error if we're unable to change to the DEFAULT hat
In addition, this has a fix to make sure that the magic token we read
from /dev/urandom is not null (which would cause the hat probing to fail
if we need to fall back to the DEFAULT hat).
if necessary. Currently used to suppress warnings about unsafe/unfiltered
environment 'u' exec transitions.
[Corresponds to rev 6415 in the old svn repo]
This commit adds a test that checks to see if exec unconfined -->
confined requires any access to the binary being run confined. Current
behavior is that it does not.
