The log parsing in the Immunix::AppArmor perl module has fallen behind
when it comes to audit events from some of the newer rule types
supported by apparmor_parser.
When an unsupported event is found, it causes aa-logprof to error out.
This patch creates a list of valid, but unsupported, event operations
that should be ignored by the perl module when parsing logs.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
example with LANG=pt_BR) because a regex relies on netstat output.
Enforce LANG=C to make sure aa-unconfined always sees the expected output.
Acked-by: Steve Beattie <steve@nxnw.org>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
The profile parsing in the Immunix::AppArmor perl module has fallen
behind when it comes to some of the newer rule types and syntax
supported by apparmor_parser.
When an unsupported rule is found, it causes aa-logprof and aa-genprof
to error out. This patch creates a list of valid, but unsupported rule
types that should be ignored by the perl module when parsing policy.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Patch by Kshitij Gupta <kgupta8592@gmail.com>
A previous bugreport [1] was fixed using the smartmatch operator,
which raised the minimum Perl version requirement to >=5.10.1 .
However in Perl5.18 the smartmatch operator has again become
"experimental" [2] so the following patch replace smartmatch operator
with grep and thereby avoiding the requirement hike and avoiding
warnings.
[1] https://bugs.launchpad.net/apparmor/+bug/1180230
[2] http://blogs.perl.org/users/mike_b/2013/06/a-little-nicer-way-to-use-smartmatch-on-perl-518.html
ACKed-by: Christian Boltz <apparmor@cboltz.de>
1) make sure that the xpra socket exists before trying to attach to it
2) make sure that the client has attached before we start the application
The fix for '1' solves a problem when the system is under load and the
one for '2' fixes a problem with firefox starting too soon and not
having system themes applied.
Exercising the 1 week rule. Seth Arnold commented on the added sleeps and I
adjusted one based on his comments and replied to the list that the other is
needed and that this improves the sandbox/xpra code but that there are
limitations with driving xpra.
Acked-By: Jamie Strandboge <jamie@canonical.com>
This patch adds a test script/driver for the aa-decode utility. The only
change from the previous versions is to support overriding the location
of the aa-decode to test via the APPARMOR_DECODE environment variable
and documenting the utils/ tests in the top level README.
The aa-decode test can be run directly from the commandline in the utils
directory like so:
test/test-aa-decode.py -v
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Handling stdin was totally broken (= no output) with the current log
format because aa-decode expected name= to be the last entry in the
log line.
This patch for stdin handling
- fixes the pattern to match the current log format (name= is NOT the
last part in the log entry)
- uses bash replacement to avoid some sed calls (which also means the
script now needs an explicit "#!/bin/bash")
- prints decoded filenames in double instead of single quotes to be
consistent with filenames that were not encoded
- also prints lines that do not contain an encoded filename (instead of
grepping them away)
- replace tr calls by perl's uc() (also for non-stdin mode)
- also handle encoded profile names (introduced by Steve)
- don't fail if a file or profile name contains a '
In other words: you can pipe your audit.log through aa-decode, and the
only difference to the raw audit.log is that filenames are decoded.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
/etc/apparmor/profiles/extras/, and update the path at various places.
Also update the mailinglist address in extra-profiles README and
recommend cp instead of mv.
Note: if you want to have a symlink
/etc/apparmor/profiles/extras -> /usr/share/apparmor/extra-profiles/
for backward compability, you'll have to create it yourself (for example
in the .spec file)
This also fixes https://bugzilla.novell.com/show_bug.cgi?id=713647
Acked-by: John Johansen <john.johansen@canonical.com>
@{HOME}/.Xauthority
utils/apparmor/sandbox.py: verify the above rule is any any dynamic templates
that use -X
utils/aa-sandbox.pod: update man page to warn about /.Xauthority access
- use signal.<signal> instead of hardcoding a number
- add --with-xauthority option
- remove '-r' and '--with-geometry' and use --with-xephyr-geometry instead
- allow passing arguments to the application when using aa-exec
- kill with SIGTERM, then try again with SIGKILL
- always use os.execv() in forks. Using cmd() when not specifying '-d' created
different behaviors between debug and non-debug mode
- better cleanup Xpra when aa-exec command fails
- use the full dummy.xorg.conf, which gives us the correct modelines for large
displays. This fixes the issue "Server's virtual screen is too small .... You
may see strange behavior." which should up when the window's size was bigger
than the 'current server resolution'
