We never did a release with the JSON code, and YaST (the only known user
of the JSON interface) will work with the added 'changes' dialog type
from r3721 without needing changes.
Also add a better comment/reason why a response for 'changes' is
expected, but gets ignored.
Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The python setup tools script is set to rewrite the shbang line of
scripts installed in ${PREFIX}/bin/ if the PYTHON environment variable
is set. Unfortunately, this (a) only covers the aa-easyprof script
as the rest are installed in ${PREFIX}/sbin/, and (b) we've deprecated
python 2 support, and hardcoded python3 as the interpreter for all of
the python scripts in the utils/ directory.
The only use for this feature would be if for some reason the utils did
not work properly with the default python3 interpreter and a specific
version was needed to be set, but I don't think that warrants keeping
the extra bit of code complexity around (and indeed, the snippet that
does this is forcibly disabled in Debian/Ubuntu).
Therefore, drop the shbang rewriting entirely.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this.
Acked-by: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
Provides the filename in the json format, which can be
directly read by Yast. Increased the protocol version; perhaps
it should go in the next release.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
[cboltz] fix "unused variable" warning and add a comment about ignoring
the JSON response
Acked-by: Christian Boltz <apparmor@cboltz.de>
This is a preparation patch to use for JSON mode of conveying
diff filename. In this patch we move diff generation functions to UI.
In the process, I have cleaned up the code to reduce code and enable reuse.
Remove unused function get_profile_diff().
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
[cboltz] Also adjust aa-mergeprof to the new function name/location
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The crash was caused by the more strict ProfileStorage in bzr trunk
(older versions use hasher() which is more forgiving, but also very
"useful" to hide quite some bugs)
Acked-by: Christian Boltz <apparmor@cboltz.de>
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
The added testcase for a ptrace target with an empty string
(ptrace_garbage_lp1689667_1.in) was causing the swig python test script
to fail. The generated python swig record for libapparmor ends up
setting a number of fields to None or other values that indicate the
value is unset, and the test script was checking if the value in the
field didn't evaluate to False in a python 'if' test.
Unfortunately, python evaluates the empty string '' as False in 'if'
tests, resulting in the specific field that contained the empty string
to be dropped from the returned record. This commit fixes that by
special case checking for the empty string.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
YaST has two issues in the "save changed profiles" dialog:
- when using "save selected", the list of profiles doesn't get updated.
Update q.options inside the loop to fix this.
- the list of profiles is displayed as "["/usr/bin/foo", true]" instead
of just "/usr/bin/foo". Use changed.keys() instead of changed to fix
this. (text-mode aa-logprof doesn't change, it always displayed
"/usr/bin/foo" and continues to do so.)
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062667 part a)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11.
Note that 2.11 needs a slightly different patch (whitespace diff).
Merge fixes from Christian to address conflicting apparmor-utils
hotkeys in the Indonesian translation. Plus the usual lp timestamp
update.
Acked-by: Steve Beattie <steve@nxnw.org>
Updates to the following translations:
* binutils - add and update an entry to de.po
* utils
- de.po: add several entries
- en_GB.po: add many entries
- es.po: add non-existing(?) entry
- id.po: add many entries
- sv.po: update and add correct a number of entries
All other changes are the usual nonsense of launchpad updating
timestamps and export information.
Note one use of dbus is left because it is represnative of a unix
socket name used for communication with dbus
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The old out of tree patchseries has been completely dropped. v4.13
has most of the newer apparmor 3.x code in it. v4.14 has the rest except
the af_unix mediation which is included as the last patch
These files are used by OpenAL for better spatialization of sounds
when headphones are detected.
Bug and patch by Simon McVittie <smcv@debian.org>:
https://bugs.debian.org/874665
Not all kernels support writing the path_max kernel parameter after
boot. Detect if it can be written and run the long_path tests only
if it can be.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
newer versions of apparmor that support multi-transaction have this xpass
case fixed
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update the tests to test whether the kernel and parser support domain
transitions on pivot_root.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules
however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: timeout
'smc' seems to be new in kernel 4.12.
Note that the 2.10 apparmor.d manpage also misses the 'kcm' keyword, so
the patch also adds it there.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11 and 2.10.
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
This parameter is always [], so we can simplify the ReadLog __init__()
parameters.
Note that some tests handed over '' instead of []. This was a bug, but
didn't matter because those tests only use a small portion of ReadLog.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
'log' is only used in do_logprof_pass, and reset to [] at the beginning
of the function. Therefore it doesn't need to be a global variable.
Also, do_logprof_pass() initializes log = [], which gets then handed
over to ReadLog and overwritten by the read_log() call in the next line.
To make clear that [] gets handed over to ReadLog, replace log with []
and drop the now superfluous initialization with [].
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
In http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3659,
a testcase was added that where the expected output file did not match
the input source name, cause libapparmor's regression tests to fail:
Output doesn't match expected data:
--- ./test_multi/ptrace_no_denied_mask.out 2017-08-18 16:35:30.000000000 -0700
+++ ./test_multi/out/ptrace_no_denied_mask.out 2017-08-18 16:35:38.985863094 -0700
@@ -1,5 +1,5 @@
START
-File: ptrace_1.in
+File: ptrace_no_denied_mask.in
Event type: AA_RECORD_DENIED
Audit ID: 1495217772.047:4471
Operation: ptrace
FAIL: ptrace_no_denied_mask
This patch corrects the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from Vincas Dargis, approved by intrigeri
Fix user-write and user-download abstractions for non-latin file names.
Acked-by: Steve Beattie <steve@nxnw.org>
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.
It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.
It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
