but should look for '//null-' instead.
Also remove some code duplication by merging with the next condition,
which executes the same self.add_to_tree code.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 126, in check_for_LD_XXX
for line in f_in:
[...]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xf8 in position 40: ordinal not in range(128)
While on it, also replace usage of the "found" variable by "return"
statements, which should bring a small performance improvement - if we
have a match, it's superfluous to continue searching.
The patch also adds me to the copyright header ;-)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
they only fail because of one (expected) reason and we notice if they
don't fail anymore. Complex profiles have the risk to fail for multiple
reasons, which also means nobody will notice if they fail for one reason
less.
The simplification is done by
- removing #include lines
- in some cases, replace the #include line with "/foo/bar r," to avoid
empty hats
Acked-by: Steve Beattie <steve@nxnw.org>
Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.
Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This change only sets up unix_socket.sh to test abstract sockets.
Unconfined processes are tested while using an abstract socket but
the test function returns before testing with confinement.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Rename the test in preparation for expanding its capabilities to cover
all UNIX domain socket address format types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
openSUSE now compiles samba --with-cachedir=/var/lib/samba (instead of
the default /var/cache/samba). This patch updates the smbd profile to
match this change.
Acked by: Seth Arnold <seth.arnold@canonical.com>
user/password files (everybody will use a different filename for the
user/password list - and when you allow reading the password list,
allowing to read the config doesn't add any harm ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=874094
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Subject: perl-apparmor: Properly handle bare 'file' keyword
References: bnc#889652
The bare file keyword is a shortcut for /{**,}. There are also implied
permissions that go with it.
This patch accepts the file keyword as well as allowing for missing mode
specifiers.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Subject: perl-apparmor: Handle bare 'capability' keyword
References: bnc#889651
Specifying 'capability' implies all capabilities, but the perl code didn't
recognize it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Subject: perl-apparmor: Fix bare 'network' keyword handling
References: bnc#889650
The 'network' bare keyword was being printed as "audit network all" due to
two different bugs:
1) {audit}{all} was always being set to 1, regardless of whether the audit
keyword was used
2) {rule} eq 'all' is the wrong test - it should be {rule}{all}
With these fixed, 'network' is properly handled.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
- allow users to merge two profiles (2-way merge) using aa-mergeprof by
making the third profile optional
- re-enable code that cleaned up base and other profile and using it in
deleted count (was disabled due to pyflakes thinking it was unused)
Patch by Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adjusts the verbosity of several of the utils tests,
to make them all consistently verbose.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
tree python modules.
Also remove "sys.path.append('../')" (and now-unused "import sys") from
all tests that contain it for consistency and to make testing with the
installed modules possible (even if we don't have a USE_SYSTEM option
yet).
Acked-by: Steve Beattie <steve@nxnw.org>
saving the remaining profile after using "save selected profile".
When using "save selected profile", write_profile() (called by
write_profile_ui_feedback()) does "changed.pop(profile_name)".
However, saving the remaining profiles in save_profiles() uses a cached
version of changed.keys() and therefore tries to save a profile that
was already saved and is no longer part of "changed".
Also remove two commented lines we'll never need again:
- #changed.pop is done in write_profile()
- q['options'] is set some lines above
References: https://bugs.launchpad.net/apparmor/+bug/1341178
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds the new capability CAP_AUDIT_READ, added in the 3.16
kernel, to the utils severity.db. I set the severity level at 7,
since it seemed to offer less exposure than CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE, which are both considered severity 8.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
testcases) to
- sleep 10 seconds after each failed test to make failures more annoying
^W^W^W^Wgive people a chance to read failure details
- print a list of failed tests at the end
Also avoid duplicate code by letting runtests-py2.sh call runtests-py3.sh.
Acked-by: Steve Beattie <steve@nxnw.org>
LOG_MODE_RE is also defined (and used) in aamode.py.
This patch removes the superfluous definition from logparser.py.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch fixes some memory leaks in the libapparmor log parsing
functions, specifically around handling records obtained from syslog
and records containing network addresses.
Bug: https://bugs.launchpad.net/bugs/1340927
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch is cosmetic; it cleans up a lot of whitespace issues:
removing trailing spaces, converting tabs into spaces, and removing
unneeded spaces around function arguments.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch is a cosmetic set of changes to remove references to immunix
from the source code (except in the case of handling deprecated
keywords), as well as correcting my email address.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds an additional hat to try in the mod_apparmor processing
sequence, constructed from the host's ServerName + '-' + URI
(e.g. 'www.example.com-/some/uri'). This hat is attempted before the raw
URI hat is attempted, leaving the ordering as follows:
(1) to a hatname in a location/directory directive
(2) to the server name or a defined per-server default
(3) to the server name + "-" + uri
(4) to the uri
(5) to DEFAULT_URI
(6) back to the parent profile
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.
However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.
This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.
Patch history:
v1: initial revision
v2: no code changes; adjust comments and improve the man page
documentation
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris@computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)
Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
+ capability setgid, # covered by abstractions/dovecot-common, therefore not part of this patch
+ capability setuid,
+ network inet stream,
+ network inet6 stream,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
apparmor="DENIED" operation="open" parent=18310 \
profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1322778
When configured with "clustering = yes", Samba needs to be able to
connect to the local ctdbd daemon socket, and directly manipulate .tdb
database files managed by ctdb.
Signed-off-by: David Disseldorp <ddiss@suse.de>
This commit adds a dovecot-common abstraction, as well as adjusting
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Move postfix-common from program-chunks/ to abstractions/; remove
program-chunks directory since postfix-common was the last resident of
that directory (and had been since 2007), and adjust the includes of all
the profiles that include postfix-common.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
