profiles/apparmor.d: Fix file_mmap violation for bsc#1192336.
See merge request apparmor/apparmor!819
Acked-by: Christian Boltz <apparmor@cboltz.de> for 3.0 and master
abstractions/python: merge /usr/ and /usr/local/ rules, and add some new rules
See merge request apparmor/apparmor!814
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
If there's still some code left that tries to access an uninitialized
item in 'aa' (reading or writing), this will result in a very visible
crash instead of silently seeming to work.
Testing shows that we seem to correctly initialize each item in 'aa' (no
crashes), therefore let's hope the best ;-)
- allow reading *.so.*
- allow directory listings in .../site-packages/
- allow reading various metadata files
These additions are based on denials seen on openSUSE Leap 15.3 with
python 3.9.
This keeps all existing permissions, and adds a few that were out of
sync:
- /usr/lib*/python3.*/lib-dynload/*.so missed 3.1[0-9]
- /usr/lib/python3/... was missing, only /usr/local/python3/ was allowed
Both aarch64 and s390x have a bigger wtmp record size (16 bytes more than x86_64, 400 bytes total).
The byte position of the timestamp is also different on each architecture. To make things even more interesting, s390x is big endian.
Note that this MR includes more things, like
* moving `get_last_login_timestamp()` to the new `apparmor/notify.py` file
* add unit tests for it
* add wtmp example files from various architectures, including a hand-edited one claiming to be from 1999
* fixing a bug in `get_last_login_timestamp()` that unpacked `type` from too many bytes - which accidently worked on x86_64
* detecting from which architecture the wtmp file comes (luckily the timestamps are located at different locations)
See the individual commits for details.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1181155
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/809
Acked-by: John Johansen <john.johansen@canonical.com>
Ensure that pre-2000 and post-2050 dates get rejected, and something in
between gets accepted.
This also extends coverage to 100% - before, the post-2050 branch was
not covered.
Both aarch64 and s390x have a bigger wtmp record size (16 bytes more
than x86_64, 400 bytes total).
The byte position of the timestamp is also different on each
architecture. To make things even more interesting, s390x is big endian.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1181155
'type' is a short (see "ut_type" in wtmp(5)), therefore only read two
bytes and unpack them as short. Afterwards read two padding bytes to
/dev/null.
This accidently worked on x86_64 because it's little endian, but will
fail on big endian architectures.
Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:
audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.
Bug: https://launchpad.net/bugs/1794064
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Some distros use /run/lock/samba as the Samba lock directory, so allow
that in the samba abstraction in addition to /run/samba.
MR: https://gitlab.com/apparmor/apparmor!805
Acked-by: John Johansen <john.johansen@canonical.com>
... and some rules in the smbd profile to execute it and send it a term
signal.
samba-bgqd is (quoting its manpage) "an internal helper program
performing asynchronous printing-related jobs."
samba-bgqd was added in Samba 4.15.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
MR: https://gitlab.com/apparmor!807
Acked-by: John Johansen <john.johansen@canonical.com>
... and some rules in the smbd profile to execute it and send it a term
signal.
samba-bgqd is (quoting its manpage) "an internal helper program
performing asynchronous printing-related jobs."
samba-bgqd was added in Samba 4.15.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
A small patch set to fix two issues with binutils/aa-features-abi:
1. The `aa-features-abi -f` short argument was not added to the
`getopt_long()` set of short arguments, resulting in the command
incorrectly failing when passed -f
2. Due to variable shadowing the file descriptor for the `--file`
argument was not being autoclosed.
- binutils/aa-features-abi: make -f short arg actually be accepted
- binutils/aa-features-abi: fix failure to close fd due to shadowed
var decl
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/804
The variable used to store the file descriptor for the --file ended up
being declared twice, resulting in the autoclose attribute attached to
the first declaration being removed by the shadowed second declaration.
Fix this by converting the second declaration to just be an assignment,
as was intended.
strace output before:
[...]
) = 1925
close(1) = 0
exit_group(0) = ?
+++ exited with 0 +++
strace output after removing shadow declaration:
) = 1925
close(1) = 0
close(3) = 0
exit_group(0) = ?
+++ exited with 0 +++
(File descriptor 3 is what is returned by the open() call on the
--file argument.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/804
The aa-features-abi -f short argument was not added to the
getopt_long() set of short arguments, resulting in the command
incorrectly failing like so:
$ ./aa-features-abi -f /etc/apparmor.d/abi/3.0
./aa-features-abi: invalid option -- 'f'
USAGE: ./aa-features-abi [OPTIONS] <SOURCE> [OUTPUT OPTIONS]
[...]
The long --file option works as expected.
Fix this by adding f to the set of short arguments passed to
getopt_long().
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/804
The parser is broken on RLIMIT parsing when receiving unexpected input
because the shared state for this specifies RLIMIT_MODEINCLUDE which
is an unknown start condition resulting in the following warning
parser_lex.l:745: undeclared start condition RLIMIT_MODEINCLUDE
and also means RLIMIT and INCLUDE are not properly handled
Signed-off-by: John Johansen <john.johansen@canonical.com>
If /proc/*/attr/apparmor/current exists, only read that - instead of
falling back to /proc/*/attr/current if a process is for example
unconfined so that read_proc_current returns None.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/199
Some STATUS log events trigger a crash in aa-notify because the log
line doesn't have operation=. Examples are:
type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0"
type=AVC msg=audit(1630913352.610:6): apparmor="STATUS" info="AppArmor sha1 policy hashing enabled" pid=1 comm="swapper/0"
Fix this by not looking at log events without operation=
Also add one of the example events as libapparmor testcase.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/194
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/797
Acked-by: John Johansen <john.johansen@canonical.com>
The default log format for void linux is not handled by current log
parsing. The following example message results in an invalid record
error.
2021-09-11T20:57:41.91645 kern.notice: [ 469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/bin/kak" name="/run/user/1000/kakoune/" pid=2545 comm="kak" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
This log message fails on parsing
kern.notice:
which differs from the expect syslog format of
host_name kernel:
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/196
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/799
Signed-off-by: John Johansen <john.johansen@canonical.com>
When building with YYDEBUG=1 the following failure occurs
grammar.y:49:46: error: unknown type name ‘no_debug_unused_’; did you mean ‘debug_unused_’?
void aalogparse_error(unused_ void *scanner, no_debug_unused_ char const *s)
^~~~~~~~~~~~~~~~
debug_unused_
g
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/799
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some STATUS log events trigger a crash in aa-notify because the log
line doesn't have operation=. Examples are:
type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0"
type=AVC msg=audit(1630913352.610:6): apparmor="STATUS" info="AppArmor sha1 policy hashing enabled" pid=1 comm="swapper/0"
Fix this by not looking at log events without operation=
Also add one of the example events as libapparmor testcase.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/194
