When the --cache-loc option was added in trunk commit 1916, it was
intended that -L would be the short form of the option (based on
documentation and usage changes). However, the commit mistakenly
did not include the short option in the list include in the call
to getopt_long(3). This patch adds it along with the indicator
that it requires an argument (the different cache location) to the
getopt_long() call.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
includes come out like
#include
##included <tunables/home>
which is wrong because #include by itself is broken, and since -p is
supposed to be removing includes, it should not be directly echoed
any keyword in the keyword table is double echoed
ownerowner /{run,dev}/shm/pulse-shm* rwk
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
abstractions/mysql.
This binary/profile seems to be the only one that needs to do this, so
add it to this profile (instead of abstractions/mysql) to avoid superfluous
permissions for other programs with abstractions/mysql
Acked-by: John Johansen <john.johansen@canonical.com>
after testing the dovecot profiles on a new server, I noticed
/usr/sbin/dovecot needs some more permissions:
- mysql access
- execution permissions for /usr/lib/dovecot/dict and lmtp
- write access to some postfix sockets, used to
- provide SMTP Auth via dovecot
- deliver mails to dovecot via LMTP
- and read access to /proc/filesystems
Acked-by: John Johansen <john.johansen@canonical.com>
logprof.conf contains a list of binaries in the [qualifiers] section
that should for example never have their own profile.
Since some distributions moved lots of files from /bin/ to /usr/bin/
("UsrMove"), this list is outdated.
The patch adds copies of all /bin/ (and /sbin/) lines with /usr
prepended.
Acked-by: John Johansen <john.johansen@canonical.com>
The usr.sbin.dovecot profile needs several updates for dovecot 2.x,
including
- capability dac_override and kill
- Px for various binaries in /usr/lib/dovecot/
The patch also adds a nice copyright header (I hope I got the bzr log
right ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
This patch adds profiles for
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/ssl-params
References: https://bugzilla.novell.com/show_bug.cgi?id=851984
Acked-by: John Johansen <john.johansen@canonical.com>
Introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) and replace
the mail storage location in various dovecot-related profiles with
this variable.
Also add nice copyright headers (I hope I got the bzr log right ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
From: Felix Geyer <debfx@ubuntu.com>
AppArmor requires read and write permission to connect to
unix domain sockets but the nameservice abstraction only
grants write access to the avahi socket.
As a result mdns name resolution fails.
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
available since the 2.6.25 kernel, according to the getrlimit(2)
man page; see that man page for more details on this rlimit.
An acceptance test is also added, as well as an update to the
apparmor.vim input template.
While reviewing to see what made sense in apparmor.vim for the rttime
rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
a keyword for microseconds, but I did for milliseconds. I also don't
accept any unit larger than minutes, as it didn't seem appropriate
(and even minutes felt... gratuitous). I would appreciate feedback
on what keywords would be useful here.
Patch History:
v1: initial submission
v2: - add apparmor.vim support for rttime keyword
- adjust RLIMIT_TIME value assignment due to its units being
microseconds, not seconds, and add milliseconds keyword.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch replaces explicitly named output targets with the make
variable $@ as well as an instance where dbus_common.h was being added
to the compile command line due to the use of $^ rather than $<.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Close file handle left opened if parser.cfg is found and read from.
Found by cppcheck.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Fix leaked memory if calloc() fails. Found by cppcheck.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Seth Arnold noticed an ugly string.clear(); convert_entry(string,
NULL) pattern occurred frequently following the conversion to using
std::string. This patch replaces that by using a static pointer to
a constant string matching pattern, and also converts other uses of
that pattern. It also adds a function wrapper that will clear the
passed buffer before calling convert_entry().
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
As noted by Seth Arnold, in expand_by_alternations() if our set
variable has at least one value, then we're going to rewrite the entry,
so rather than sprinkle the free()s near where the reallocation occurs,
use one free() once we're guaranteed to need to do so.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
As suggested by Seth Arnold, we can use string::find_last_not_of()
instead of using C++'s hideous reverse iterators.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
As noted by Seth Arnold, e_buffer_overflow is no longer set in
convert_aaregex_to_pcre(), so remove it and the sole check for it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch converts a stack allocated buffer into an std::ostringstream
object. The stringstream interface for specifying the equivalent of
a printf %02x conversion is a bit of an awkward construction, however.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Based on feedback from Seth Arnold, the convert_aaregex_to_pcre()'s
first argument is const char *, and thus the unit test macros don't need
to pass a copy of the input string to it, as it's guaranteed to be
unmodified by the function.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch eliminates the bison warning about "%name-prefix =" being
deprecated.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch includes the errno in the log messages generated by two
different failed aa_change_hat() calls and the failure to open
/dev/urandom to get the random token, to further ease failure
diagnosis.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch removes unnecessary back out aa_change_hat() calls that occur
if the prior call to aa_change_hat() call failed. It used to be case
that an aa_change_hat() call that failed would result in the task being
placed in a profile with no permissions except the ability to
aa_change_hat() back out, but this behavior has been removed from
apparmor for many, many years now.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds code that checks the resulting hat that apache gets
placed into, and verifies that if the apache configuration specified
that an AAHatName or AADefaultHatName should have been the resulting
hat. If it wasn't, emit a warning message to the apache log, as this
likely indicates a mismatch between the apache configuration and its
apparmor policy (i.e. why define AAHatName if you aren't going to
create the corresponding hat in the apparmor policy?)
Note for AADefaultHatName, a message is not logged if a defined
AAHatName would also apply or if there is a hat defined for the uri,
as each of those come first in the order of attempted hats.
Also note that the way the hat name is manually calculated will break
for nested profiles and stacking. It should be fine for all current
deployments as we don't allow nesting beyond the first subprofile level
in policy yet. And stacking will likely only be used between namespaces
where aa_getcon() will not report parent namespace info. However, when
libapparmor adds functionality to query the hatname, the code that
computes it here should be replaced by a call to that library function.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch converts the request entry point from using multiple (if
necessary) aa_change_hat() calls into a single aa_change_hatv() call,
simplifying the code a bit, requiring fewer round trips between
mod_apparmor and the kernel for each request, as well as providing more
information when the apache profile is in complain mode.
Patch history:
v1: initial version
v2: - the server config (scfg) code accidentally re-added the
directory config (dcfg) hat to the vector of hats, fix that
- actually add the DEFAULT_URI hat to the vector of hats, instead
of only logging that that is happening.
- pass errno to ap_log_rerror() if aa_change_hatv() call fails.
- don't call aa_change_hat again if aa_change_hatv() call fails,
as this is no longer necessary.
v3: - Based on feedback from jjohansen, convert exit point
aa_change_hat() call to aa_change_hatv(), in order to work
around aa_change_hat() bug addressed in trunk rev 2329,
which causes the exiting aa_change_hat() call to fail and
results in the apache process being killed by the kernel.
When it's no longer likely that mod_apparmor could run into
a system libapparmor that still contains this bug, this can
be converted back.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1207424
This patch makes the default value for AADefaultHatName be the
server/vhost name, which can be specified in apache via the ServerName
configuration declaration. It can be overridden by setting
AADefaultHatName directly. Thus, with this patch applied, the order of
attempted hats will be:
1. try to aa_change_hat(2) into a matching AAHatName hat if it exists
and applies, otherwise
2. try to aa_change_hat(2) into the URI itself, otherwise
3. try to aa_change_hat(2) into the value of ServerName, unless
AADefaultHatName has been explicitly set for this server/vhost, in
which case that value will be used, otherwise
4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists,
otherwise
5. fall back to the global Apache policy
This should eliminate the need for most admins to define both
ServerName and AADefaultHatName, unless there's a specific need for
the values to deviate.
Man page documentation is updated as well, though probably more
wordsmithing is needed there for clarity.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
When defining an AADefaultHatName entry, it was being stored in the
passed mconfig location, which is not the module specific server
config, but instead the top level (i.e. no path defined) default
directory/location config. This would be superceded by a more specific
directory config if it applied to the request. Thus, if an AAHatName was
defined that applied, but the named hat was not defined in the apparmor
policy, mod_apparmor would not attempt to fall back to the defined
AADefaultHatName, but instead jump directly to trying the DEFAULT_URI
hat.
This patch fixes it by storing the defined AADefaultHatName correctly in
the module specific storage in the related server data structure. It
also adds a bit of developer debugging statements.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1207424
This patch adds the name of the hat to the log message about the
initial aa_change_hat call, just to be explicit about what's happening
when debugging and changes the formatting slightly of the exiting
change_hat log message.
Patch history:
v1: initial version
v2: tweak output of exit trace message
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
mod_apparmor never got converted to use the renamed aa_change_hat()
call (there's a compatibility macro in sys/apparmor.h); this patch does
that as well as converting the type of the magic_token to long from int.
(This patch is somewhat mooted by a later patch in the series to
convert to using aa_change_hatv(), but would be a safer candidate
for e.g. the 2.8 branch.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch converts the debug_dump_uri() function to use the trace
loglevels and enable it all the time, rather than just when DEBUG is
defined at compile time.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Apache 2.4 added addition logging levels. This patch converts some of
the log messages that are more intended for mod_apparmor development
and debugging than for sysadmins configuring mod_apparmor to use trace1
(APLOG_TRACE1) level instead. Since apache 2.2. does not contain this
level (or define), we define it back to APLOG_DEBUG.
Patch history:
v1: initial version
v2: mark a couple of additional log messages as trace1 level
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
The apache2 mod_apparmor module was failing to log debugging messages
when the apache loglevel was set to debug or lower (i.e. traceN). This
patch fixes it by using ap_log_rerror() (for request specific messages,
with the request passed for context) and ap_log_error() (more general
messages outside of a request context).
Also, the APLOG_USE_MODULE macro is called, to mark the log messages as
belonging to the apparmor module, so that the apache 2.4 feature of
enabling debug logging for just the apparmor module will work, with an
apache configuration entry like:
LogLevel apparmor:debug
See
http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html
for specific about the ap_log_*error() and APLOG_USE_MODULE functions
and macros, and
http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel
for the bits about module specific logging.
Patch history:
v1: initial version
v2: - revert to using ap_log_error with (the 2.4 specific)
ap_server_conf outside of a request specific context, as the
pool specific ap_log_perror messages weren't being reported.
- add compatibility workaround for apache 2.2
v3: keep commented out merge function's log call consistent with the
others
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch fixes the format string for the magic token in aa_change_hat
to match the type of the magic token (long). Without this, on 64
bit platforms, only the bottom 32 bits of the token would be used.
aa_change_hatv() has the correct format string, so an aa_change_hatv()
call followed by an exiting aa_change_hat() call would result in the
latter having a different token, which would cause the process to be
killed by apparmor.
(Hat tip to John Johansen for spotting the actual bug.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
(collected in the openSUSE package over the last months)
- add abstractions/samba to usr.sbin.winbindd profile
(and cleanup things that are included in the abstraction - the cleanup
part is not in the openSUSE package)
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile
(bnc#851131)
- updates for samba 4.x and kerberos (bnc#846586#c12 and #c15,
bnc#845867, bnc#846054)
- drop always-outdated "Last Modified" comment
References: see the bnc# above (they are bug numbers at
bugzilla.novell.com)
Acked-by: John Johansen <john.johansen@canonical.com>
This patch eliminates the complaints from running:
pep8 --ignore=E501 aa-easyprof vim/
(E501 is 'line too long', which I'm not too chuffed about.)
Mostly, it's a lot of whitespace touchups, with a few conversions from
'==' to 'is'.
Commit includes applied feedback from cboltz.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Current builds include many warnings when building translations message
files like so:
msgfmt -c -o ja.mo ja.po
ja.po:5: warning: header field 'Language' missing in header
According to what I read in the entry for Language in
http://www.gnu.org/software/gettext/manual/gettext.html#Header-Entry
the language entry should be (in our case) the same as the file name
minus the .po suffix. This patch adds the language field for those
po files that were missing it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds several assorted language tests, to exercise various
parts of the parser that were not being covered by the language tests
previously. Areas lacking were found using the coverage compilation
option; coverage from the language tests is still incomplete.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch updates the Report-Msgid-Bugs-To: to point to the apparmor
list instead of the old Novell forge address. It also makes the
Project-Id-Version: field consistent.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The rlimits syntax checking support in apparmor.vim was broken in
various unhelpful ways:
- lacked support for the 'infinity' keyword (aka RLIM_INFINITY)
- lacked support for the 'ofile' rlimit, an alias for the nofile
rlimit
- lacked support for the 'cpu' rlimit (aka RLIMIT_CPU)
- incorrect syntax for nofile|nproc|rtprio rlimits (didn't include
required '<=' between the limit name and value)
- incorrect syntax for specifying optional SI units for size based
rlimits (e.g. 'MB' is required, but syntax only allowed incorrect
'M'; that said, one could argue the parser is overly strict here,
and the pattern should be '[KMG]B?')
(See the setrelimit(2) man page for more details on the specifics of the
rlimit definitions.)
This patch fixes the above issues.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The parser was lacking language tests for rlimits. This test adds
several, one for each rlimit type.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
