diff --git a/abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch b/abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch deleted file mode 100644 index cfcaeea..0000000 --- a/abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch +++ /dev/null @@ -1,31 +0,0 @@ -From eeac8c11c935edf9eea2bed825af6c57e9fb52e3 Mon Sep 17 00:00:00 2001 -From: Rich McAllister -Date: Tue, 31 Mar 2020 21:01:21 -0700 -Subject: [PATCH] abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns -References: bsc#1168306 - -In focal users of mdns get denials in apparmor confined applications. -An exampel can be found in the original bug below. - -It seems it is a common pattern, see -https://github.com/lathiat/nss-mdns#etcmdnsallow - -Therefore I'm asking to add - /etc/mdns.allow r, -to the file - /etc/apparmor.d/abstractions/mdns" -by default. - ---- - profiles/apparmor.d/abstractions/mdns | 1 + - 1 file changed, 1 insertion(+) - ---- a/profiles/apparmor.d/abstractions/mdns -+++ b/profiles/apparmor.d/abstractions/mdns -@@ -9,5 +9,6 @@ - # ------------------------------------------------------------------ - - # mdnsd -+ /etc/mdns.allow r, - /etc/nss_mdns.conf r, - /{,var/}run/mdnsd w, diff --git a/apparmor.changes b/apparmor.changes index c6d6d75..35960cc 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Thu May 21 12:17:15 UTC 2020 - Christian Boltz + +- add changes-since-2.13.4.diff with upstream changes and fixes + since 2.13.4 up to 5f61bd4c: + - add several abstractions related to xdg-open: + dbus-network-manager-strict, exo-open, gio-open, gvfs-open, + kde-open5, xdg-open + - introduce @{run} variable + - update dnsmasq and winbindd profile + - update mdns, mesa and nameservice abstraction + - some bugfixes in the aa-* tools, including a remote bugfix in the + YaST AppArmor module (boo#1171315) +- drop upstream(ed) patches (now part of changes-since-2.13.4.diff): + - make-4.3-capabilities.diff + - make-4.3-capabilities-vim.diff + - make-4.3-fix-utils-network-test.diff + - make-4.3-network.diff + - abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch +- apply usr-etc-abstractions-base-nameservice.diff only for + Tumbleweed, but not for Leap 15.x where it's not needed +- refresh usr-etc-abstractions-base-nameservice.diff + ------------------------------------------------------------------- Thu Apr 9 18:56:09 UTC 2020 - Goldwyn Rodrigues diff --git a/apparmor.spec b/apparmor.spec index 099124f..3404270 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -65,24 +65,12 @@ Patch4: apparmor-lessopen-profile.patch # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix) Patch5: apparmor-lessopen-nfs-workaround.diff +# changes and fixes since the 2.13.4 Release (v2.13.4 (= df0ac742)..5f61bd4c +Patch9: changes-since-2.13.4.diff + # update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x) Patch10: ./usr-etc-abstractions-base-nameservice.diff -# fix build with make 4.3 - network rules (taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/307, not in 2.13.x, boo#1167953) -Patch11: make-4.3-network.diff - -# fix build with make 4.3 - fix utils network tests (taken from upstream 9144e39d2, not in 2.13.x, boo#1167953) -Patch12: make-4.3-fix-utils-network-test.diff - -# fix build with make 4.3 - capability rules (taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/461, not in 2.13.x, boo#1167953) -Patch13: make-4.3-capabilities.diff - -# fix build with make 4.3 - fix apparmor.vim capability rules (submitted upstream 2020-03-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/463, not in 2.13.x, boo#1167953) -Patch14: make-4.3-capabilities-vim.diff - -#Bug 1168306 - apparmor prevents the resolver from reading /etc/mdns.allow, and therefore forbids using any custom domain name -Patch15: abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch - PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -371,12 +359,12 @@ SubDomain. %patch3 -p1 %patch4 %patch5 +%patch9 -p1 + +%if 0%{?suse_version} > 1500 +# /usr/etc/ changes in abstractions, apply only to Tumbleweed, but not to Leap 15.x %patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 +%endif %build %define _lto_cflags %{nil} diff --git a/changes-since-2.13.4.diff b/changes-since-2.13.4.diff new file mode 100644 index 0000000..216e0de --- /dev/null +++ b/changes-since-2.13.4.diff @@ -0,0 +1,1602 @@ +commit 5f61bd4cf2c84c25ab5b106c4e58bc490dfa0ac2 +Merge: e038123f 72c2a7d2 +Author: Christian Boltz +Date: Wed May 20 19:23:21 2020 +0000 + + Merge branch 'cboltz-2.13-collapse-log' into 'apparmor-2.13' + + [2.12+2.13] collapse_log(): avoid accidently initializing aa[profile] + + See merge request apparmor/apparmor!539 + + Acked-by: John Johansen for 2.12 and 2.13 + +commit 72c2a7d2de6a86ecb7a4bab0f5b25052f4aca3bf +Author: Christian Boltz +Date: Wed May 20 20:06:27 2020 +0200 + + collapse_log(): avoid accidently initializing aa[profile] + + ... or calling is_known_rule() on events for non-existing hats. + + It's the usual hasher() "fun" again - accessing a non-existing element + will create its parent. + + In theory this commit might be worth a backport. In practise, it doesn't cause + any visible problem. + + However, starting with the next commit, it will cause lots of test errors. + + Also add a missing is_known_rule() call for dbus rules, which might have + caused similar hasher() "fun". + + (Backported from 9f1b2f4014ef27c5e7a17acadd03221387bb9809) + +commit e038123f8f1d31cc5d1ff639e06342357ca0d094 +Author: Christian Boltz +Date: Tue May 12 19:43:44 2020 +0000 + + Merge branch 'cboltz-fail-verbose' into 'master' + + read_profile(): don't fail silently + + See merge request apparmor/apparmor!530 + + Acked-by: Steve Beattie for 2.11..master + + (cherry picked from commit e0f9b7cb0760a16a4691baf771d17d5b8d6f2ee2) + + af8b9dc5 read_profile(): don't fail silently + +commit 28411030392ec372728d0f489e5573b11407a67e +Author: nl6720 +Date: Thu Feb 20 10:40:22 2020 +0200 + + profiles: add trailing slash to the run variable definition + + Merge request apparmor/apparmor!466 (454fca7483eae) pulled back the + @{run} variable definition from apparmor/apparmor!454 (452b5b8735e4) + to the 2.13 and 2.12 branches, to make backporting profile changes + easier. However, it did not include the followup fix to the @{run} + definition to include trailing slashes to ensure they are treated as + directories (apparmor/apparmor!456 ef591a67cedc). + + Signed-off-by: nl6720 + (cherry picked from commit ef591a67cedc1da0676b26448ea96fa8c073c253) + Signed-off-by: Steve Beattie + Acked-by: John Johansen + MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/533 + +commit 0e89e79a324c42945ca097fb2fb132f2c25c3afe +Author: Christian Boltz +Date: Sun May 10 22:54:34 2020 +0000 + + Merge branch 'cboltz-vim-alias' into 'master' + + apparmor.vim: allow leading whitespace for alias rules + + See merge request apparmor/apparmor!527 + + Acked-by: Steve Beattie for 2.11..master + + (cherry picked from commit ae70ecfbaafd2d2b18f51fe16e4107f861c2d8af) + + c636580f apparmor.vim: allow leading whitespace for alias rules + +commit 0ad7109eea32467b274426be771adeea7276d9d4 +Author: Christian Boltz +Date: Thu May 7 17:59:06 2020 +0000 + + Merge branch 'cboltz-less-shell' into 'master' + + less shell ;-) + + See merge request apparmor/apparmor!520 + + Acked-by: John Johansen + + (cherry picked from commit 6b55794074fb4e74a1e28b3eb1d1b97c2be1c06e) + + 48bae9e3 less shell ;-) + +commit eb5185c96193e1370d06e46297289deea8aa3588 +Merge: 6c638c97 da07cdf7 +Author: Christian Boltz +Date: Thu May 7 10:18:12 2020 +0000 + + Merge branch 'cboltz-2.13-genprof-fix-json' into 'apparmor-2.13' + + [2.11..2.13] Fix showing the local inactive profile in json mode + + See merge request apparmor/apparmor!516 + + Acked-by: Steve Beattie for 2.12 and 2.13 + +commit da07cdf79c5643878712e5a6e0fb6d7aadf71c61 +Author: Christian Boltz +Date: Wed May 6 23:20:07 2020 +0200 + + Fix showing the local inactive profile in json mode + + When aa-genprof proposes a local inactive profile, it had a hardcoded + call to 'less' to display that profile. + + Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily + it's only a case of "the button doesn't work"). + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315 + (cherry picked from commit 68a258b0064d98c376631fa27904a5be1a2e0044) + (cherry picked from commit cb95e9a2568b19e2e7601c0af363e0605a6889d9) + +commit 6e9dd6494b628639620523f48aeaf2aceed11584 +Author: Christian Boltz +Date: Thu May 7 01:06:05 2020 +0200 + + Split off UI_ShowFile() from UI_Changes + + UI_ShowFile() is more generic and can be used to display various (text) + files, not only diffs. + + (cherry picked from commit bb3803b931683c841768ba6256c29e16bebd2eeb, + adjusted for 2.13 branch) + +commit 6c638c97c528bb062f6c84a511340413a217e742 +Author: Christian Boltz +Date: Sun May 3 19:27:57 2020 +0000 + + Merge branch 'cboltz-vim-if-exists' into 'master' + + apparmor.vim: support 'include if exists' + + See merge request apparmor/apparmor!500 + + Acked-by: John Johansen for 2.12..master + + (cherry picked from commit a4864146e2d5b39bdc9635507f784fb5a268212b) + + efa7c6d6 apparmor.vim: support 'include if exists' + +commit b3dff41eb70eaf702467723d447c6893ef6f06c5 +Author: Christian Boltz +Date: Sun Apr 26 11:43:14 2020 +0000 + + Merge branch 'privacy' into 'master' + + Privacy statement + + See merge request apparmor/apparmor!441 + + Acked-by: Christian Boltz for 2.11..master + + (cherry picked from commit 4281b58c896c79294c813e6b6a36d05b1cdb0298) + + bfde89a6 infrastructure: Add privacy statement to the README + +commit cca58df6f52dc047857bdc2e7836b19a349fc177 +Author: John Johansen +Date: Sun Apr 26 09:45:04 2020 +0000 + + Merge Fixings for crosscompilation + + This series adds a couple of patches to make the software more crosscompilation friendly. They are based on the work I'm doing to fix the package on buildroot + + PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/485 + Acked-by: John Johansen + (cherry picked from commit 9ba2334423cccc811c0e59e3af604f06631a3d4f) + Signed-off-by: John Johansen + +commit 95b75a628a93e4ef1493b0be31968f4a3f13ff18 +Author: Daniel Gerber +Date: Mon Apr 20 16:47:11 2020 -0700 + + fix fails to load profiles in busybox with: + + egrep: bad regex '^/.[ \t]+flags[ \t]=[ \t]*([ \t]complain[ \t])[ \t]+{': Invalid contents of {} + + Note the final non-escaped {. + The issue is not present any more in branch master. + + Fixes: https://gitlab.com/apparmor/apparmor/-/issues/80 + Signed-off-by: John Johansen + +commit ddb747c0a9a39d00c2f55fa0e182d6b61ff1c5a8 +Author: Christian Boltz +Date: Sun Apr 12 09:45:12 2020 +0000 + + Merge branch 'profile-usr.sbin.dnsmasq' into 'master' + + usr.sbin.dnsmasq: update to support dnsmasq 2.81 + + See merge request apparmor/apparmor!475 + + Acked-by: Christian Boltz for 2.11..master + + (cherry picked from commit acafe9de826f7f9292fa0e7e8c3fc2a2c41d265a) + + 88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81 + +commit 01841ade3a96ba372d78bbdca8c3c4ac61364afd +Author: John Johansen +Date: Wed Apr 8 08:34:41 2020 +0000 + + Merge Better error handling when creating apparmor.vim + + See the individual commits for details and bug references. + + PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/472 + Acked-by: John Johansen + +commit e02a0170141317df624a282195286733a298634e +Merge: dda6825f 0b31930b +Author: John Johansen +Date: Fri Apr 3 01:47:03 2020 +0000 + + Merge Backport xdg open + + @Talkless requested xdg-open and friends be cherry-picked into 2.13 + + This is the set of commits (and fixes) to do that without modifying them. + + We could drop backporting dbus-strict by modifying both the adding missing .d dirs, and add xdg-open and friends patches. + + This series does not currently include the make check test and its fixes for the .d directories, as they were not required but we may want to include them to catch any potential errors. + PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/471 + Signed-off-by: John Johansen + +commit 0b31930b3b8a2fe6be97079fb0807d2498397e6f +Author: John Johansen +Date: Tue Mar 31 23:05:51 2020 +0000 + + Merge exo-open: allow reading ~/.local/share/xfce4/helpers/*.desktop + + Fixes: https://gitlab.com/apparmor/apparmor/-/issues/73 + PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/467 + Acked-by: John Johansen + (cherry picked from commit b2d0d87ebac183895adef679be3904b8fc923e66) + Signed-off-by: John Johansen + +commit b9af6564a557f2dfe0ed0c84c7c08f4faea884e4 +Author: Christian Boltz +Date: Tue Feb 11 20:31:41 2020 +0000 + + Merge branch 'cboltz-exoopen-local' into 'master' + + Add #include if exists <*.d> to new abstractions + + See merge request apparmor/apparmor!453 + + Acked-by: Seth Arnold + (cherry picked from commit 962f1e7a7b1e2e97bfc6c42173b494b5609b0f29) + Signed-off-by: John Johansen + +commit 632fb92bc5464ceccbc6e71ccb55d052673c9a4c +Author: John Johansen +Date: Mon Feb 3 21:32:21 2020 +0000 + + Add xdg-open (and friends) abstraction + + Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments. + + Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers. + + PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404 + Acked-by: John Johansen + (cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a) + Signed-off-by: John Johansen + +commit 79e942bf2a8ac00d33034edf34cfccc46c0bea3a +Author: Christian Boltz +Date: Mon Jan 27 19:42:45 2020 +0000 + + Merge branch 'cboltz-abstractions-missing-include' into 'master' + + add missing *.d include to dbus-network-manager-strict abstraction + + See merge request apparmor/apparmor!448 + + Acked-by: Seth Arnold + (cherry picked from commit eae474bb5c75129a9c5d0d02b1edf30636794900) + Signed-off-by: John Johansen + +commit c046bc83dc7ac0e2c3486d65ee07353687f79868 +Author: John Johansen +Date: Wed Nov 27 18:01:42 2019 +0000 + + Add dbus-network-manager-strict abstraction + + Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used. + + Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend. + + + PR: https://gitlab.com/apparmor/apparmor/merge_requests/409 + Acked-by: John Johansen + (cherry picked from commit a10fa57fb6274d32763d9df8e3051f6c45543776) + Signed-off-by: John Johansen + +commit dda6825ff2c268d582afe0ba7faf00ed2d525929 +Author: Rich McAllister +Date: Tue Mar 31 21:01:21 2020 -0700 + + abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns + + In focal users of mdns get denials in apparmor confined applications. + An exampel can be found in the original bug below. + + It seems it is a common pattern, see + https://github.com/lathiat/nss-mdns#etcmdnsallow + + Therefore I'm asking to add + /etc/mdns.allow r, + to the file + /etc/apparmor.d/abstractions/mdns" + by default. + + --- original bug --- + + Many repetitions of + + audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0 + + in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains + + hosts: files mdns [NOTFOUND=return] myhostname dns + + and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.) + + Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow. + + Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629 + Signed-off-by: John Johansen + + (cherry picked from commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3) + +commit 92f6679da99152c9c1557ba5adade19ea1b4ee4f +Merge: 03acdebf af0c288f +Author: John Johansen +Date: Tue Mar 31 22:05:47 2020 +0000 + + Merge [2.13] fix build with make 4.3 + + his MR backports the patches for make 4.3 compability to the 2.13 branch. + + Fixes: https://gitlab.com/apparmor/apparmor/-/issues/74 + Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1167953 + Acked-by: John Johansen + +commit 03acdebf071eba06f60ccbc33218a06367f6874f +Merge: 1f319c38 454fca74 +Author: John Johansen +Date: Tue Mar 31 21:59:34 2020 +0000 + + Merge [2.12 + 2.13] Add "run" variable + + Define the "run" variable in 2.12 and 2.13 to make backporting profile updates easier. + + Fixes: https://gitlab.com/apparmor/apparmor/-/issues/88 + PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/466 + + Acked-by: John Johansen + +commit 1f319c3870287b9a2cfa39e92344c9d35875b811 +Author: nl6720 +Date: Thu Mar 19 12:05:44 2020 +0200 + + abstractions/nameservice: allow accessing /run/systemd/userdb/ + + On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ . + + (cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4) + Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82 + Signed-off-by: nl6720 + Signed-off-by: John Johansen + +commit 411af09c9701004f7c7ff9d3fadb170c1a62e306 +Author: Christian Boltz +Date: Tue Mar 31 19:49:26 2020 +0000 + + Merge branch 'mesa-20.0' into 'master' + + abstractions/mesa: allow checking if the kernel supports the i915 perf interface + + See merge request apparmor/apparmor!464 + + Acked-by: Vincas Dargis + Acked-by: Christian Boltz for master and 2.13 + + (cherry picked from commit f56bab3f75dfbdfc9456628a392cabbb985a44bb) + + 61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface + +commit 454fca7483eae7b7ee613343c2c02abaa20e37e3 +Author: nl6720 +Date: Thu Feb 13 09:58:33 2020 +0200 + + Add "run" variable + + Signed-off-by: nl6720 + (cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec) + +commit af0c288fcd4b9ddbf3a062d6d0e1c9618e8f3c75 +Author: Christian Boltz +Date: Sun Mar 29 00:07:11 2020 +0100 + + fix capabilities in apparmor.vim + + https://gitlab.com/apparmor/apparmor/-/merge_requests/461 / + e92da079ca12e776991bd36524430bd67c1cb72a changed creating the + capabilities to use a script. + + A side effect is that the list is now separated by \n instead of + spaces. Adjust create-apparmor.vim.py to the new output. + + (cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118) + +commit 0d8e4cda3fb5194b82e288cadbcce98998064b7a +Author: allgdante +Date: Mon Mar 23 15:09:15 2020 +0000 + + Generate CAPABILITIES in a script due to make 4.3 + + This way we could generate the capabilities in a way that works with + every version of make. + Changes to list_capabilities are intended to exactly replicate the old + behavior. + + (cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a) + +commit 69651fc6565cf033ab763a607d786eb14143b7c6 +Author: John Johansen +Date: Fri Jun 14 01:04:22 2019 -0700 + + Revert "utils/test-network.py: fix failing testcase" + + This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0. + this commit was meant for the 2.13 branch not master + + Signed-off-by: John Johansen + (cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca) + +commit fc2beaca9d642fb93736066f26e3588ad30ec7a4 +Author: Eric Chiang +Date: Thu Jan 17 11:02:57 2019 -0800 + + *: ensure make apparmor_parser is cached + + This change updates parser/Makefile to respect target dependencies and + not rebuild apparmor_parser if nothing's changed. The goal is to allow + cross-compiled tests #17 to run on a target system without the tests + attempting to rebuild the parser. + + Two changes were made: + + * Generate af_names.h in a script so the script timestamp is compared. + * Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a + + Changes to list_af_names are intended to exactly replicate the old + behavior. + + Signed-off-by: Eric Chiang + (cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578) + +commit 5972adc7e30c958bae36278751e218c35799106e +Author: Christian Boltz +Date: Mon Mar 23 20:14:27 2020 +0000 + + Merge branch 'master' into 'master' + + Update usr.sbin.winbindd profile to allow krb5 rcache files locking + + See merge request apparmor/apparmor!460 + + Acked-by: Christian Boltz for 2.11..master + + (cherry picked from commit 5c1932d0d634ee693b513f79fabe56c85d4c7f5f) + + 2c3001c7 Update usr.sbin.winbindd profile to allow krb5 rcache files locking + +commit 2e2529bae81b0858d5f25c3d6f886fa3eba3f502 +Author: Christian Boltz +Date: Tue Feb 26 21:27:00 2019 +0100 + + Replace deprecated assertEquals with assertEqual + + assertEquals is deprecated since Python 2.7 and 3.2. + + (cherry picked from commit 62abfe38e8bb3e6ba4dc873efbd1855888ea8aa0) + Signed-off-by: John Johansen + + + + + + + + + + + + +diff --git a/README.md b/README.md +index 4e337fa6..4366d62f 100644 +--- a/README.md ++++ b/README.md +@@ -45,6 +45,24 @@ Security issues can be filed as security bugs on launchpad + or directed to `security@apparmor.net`. Additional details can be found + in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities). + ++ ++-------------- ++Privacy Policy ++-------------- ++ ++The AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function. ++ ++The AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project. ++ ++The AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project. ++ ++Users may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action. ++ ++The AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab and LaunchPad) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not. ++ ++Currently both GitLab an LaunchPad require a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way. ++ ++ + ------------- + Source Layout + ------------- +diff --git a/binutils/Makefile b/binutils/Makefile +index 7fb71813..e9fcbbd8 100644 +--- a/binutils/Makefile ++++ b/binutils/Makefile +@@ -54,6 +54,10 @@ TOOLS = aa-enabled aa-exec + + AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread + ++ifdef WITH_LIBINTL ++ AALIB += -lintl ++endif ++ + ifdef USE_SYSTEM + # Using the system libapparmor so Makefile dependencies can't be used + LIBAPPARMOR_A = +diff --git a/common/Make.rules b/common/Make.rules +index d2149fcd..ecc6181a 100644 +--- a/common/Make.rules ++++ b/common/Make.rules +@@ -74,40 +74,6 @@ endif + pod_clean: + -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp + +-# ===================== +-# generate list of capabilities based on +-# /usr/include/linux/capabilities.h for use in multiple locations in +-# the source tree +-# ===================== +- +-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2" +-CAPABILITIES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort) +- +-.PHONY: list_capabilities +-list_capabilities: /usr/include/linux/capability.h +- @echo "$(CAPABILITIES)" +- +-# ===================== +-# generate list of network protocols based on +-# sys/socket.h for use in multiple locations in +-# the source tree +-# ===================== +- +-# These are the families that it doesn't make sense for apparmor +-# to mediate. We use PF_ here since that is what is required in +-# bits/socket.h, but we will rewrite these as AF_. +- +-FILTER_FAMILIES=PF_UNIX +- +-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') +- +-# emits the AF names in a "AF_NAME NUMBER," pattern +-AF_NAMES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2) +- +-.PHONY: list_af_names +-list_af_names: +- @echo "$(AF_NAMES)" +- + # ===================== + # manpages + # ===================== +diff --git a/common/list_af_names.sh b/common/list_af_names.sh +new file mode 100755 +index 00000000..d7987537 +--- /dev/null ++++ b/common/list_af_names.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash -e ++ ++# ===================== ++# generate list of network protocols based on ++# sys/socket.h for use in multiple locations in ++# the source tree ++# ===================== ++ ++# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search ++# for "PF_" constants since that is what is required in bits/socket.h, but ++# rewrite as "AF_". ++ ++echo "#include " | \ ++ cpp -dM | \ ++ LC_ALL=C sed -n \ ++ -e '/PF_UNIX/d' \ ++ -e 's/PF_LOCAL/PF_UNIX/' \ ++ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \ ++ sort -n -k2 +diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh +new file mode 100755 +index 00000000..4e37cda7 +--- /dev/null ++++ b/common/list_capabilities.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash -e ++ ++# ===================== ++# generate list of capabilities based on ++# /usr/include/linux/capabilities.h for use in multiple locations in ++# the source tree ++# ===================== ++ ++echo "#include " | \ ++ cpp -dM | \ ++ LC_ALL=C sed -n \ ++ -e '/CAP_EMPTY_SET/d' \ ++ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \ ++ LC_ALL=C sort +diff --git a/libraries/libapparmor/swig/python/test/test_python.py.in b/libraries/libapparmor/swig/python/test/test_python.py.in +index 37849554..75c71415 100644 +--- a/libraries/libapparmor/swig/python/test/test_python.py.in ++++ b/libraries/libapparmor/swig/python/test/test_python.py.in +@@ -74,7 +74,7 @@ class AAPythonBindingsTests(unittest.TestCase): + libapparmor.free_record(swig_record) + + expected = self.parse_output_file(outfile) +- self.assertEquals(expected, record, ++ self.assertEqual(expected, record, + "expected records did not match\n" + + "expected = %s\nactual = %s" % (expected, record)) + +@@ -90,7 +90,7 @@ class AAPythonBindingsTests(unittest.TestCase): + line = l.rstrip('\n') + count += 1 + if line == "START": +- self.assertEquals(count, 1, ++ self.assertEqual(count, 1, + "Unexpected output format in %s" % (outfile)) + continue + else: +diff --git a/parser/Makefile b/parser/Makefile +index 73e88f5c..d2bdc4de 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -94,6 +94,10 @@ AAREOBJECTS = $(AAREOBJECT) + AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS) + AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread + ++ifdef WITH_LIBINTL ++ AALIB += -lintl ++endif ++ + ifdef USE_SYSTEM + # Using the system libapparmor so Makefile dependencies can't be used + LIBAPPARMOR_A = +@@ -281,14 +285,13 @@ parser_version.h: Makefile + # as well as the filtering that occurs for network protocols that + # apparmor should not mediate. + +-.PHONY: af_names.h +-af_names.h: +- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@ +- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@ ++af_names.h: ../common/list_af_names.sh ++ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@ ++ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@ + # cat $@ + + cap_names.h: /usr/include/linux/capability.h +- echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@ ++ ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@ + + tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS}) + $(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS) +@@ -304,10 +307,7 @@ tests: apparmor_parser ${TESTS} + sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done' + $(Q)$(MAKE) -s -C tst tests + +-# always need to rebuild. +-.SILENT: $(AAREOBJECT) +-.PHONY: $(AAREOBJECT) +-$(AAREOBJECT): ++$(AAREOBJECT): FORCE + $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" + + .PHONY: install-rhel4 +@@ -363,7 +363,9 @@ INSTALLDEPS+=install-$(DISTRO) + endif + + .PHONY: install +-install: install-indep install-arch ++install: ++ $(MAKE) install-indep ++ $(MAKE) install-arch + + .PHONY: install-arch + install-arch: $(INSTALLDEPS) +@@ -408,3 +410,4 @@ clean: pod_clean + $(MAKE) -s -C po clean + $(MAKE) -s -C tst clean + ++FORCE: +diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod +index 662830bd..59ac72c9 100644 +--- a/parser/apparmor.d.pod ++++ b/parser/apparmor.d.pod +@@ -1279,6 +1279,7 @@ provided AppArmor policy: + @{apparmorfs} + @{sys} + @{tid} ++ @{run} + @{XDG_DESKTOP_DIR} + @{XDG_DOWNLOAD_DIR} + @{XDG_TEMPLATES_DIR} +diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions +index 22e8367f..8c1c57c5 100644 +--- a/parser/rc.apparmor.functions ++++ b/parser/rc.apparmor.functions +@@ -140,7 +140,7 @@ force_complain() { + local profile=$1 + + # if profile not in complain mode +- if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then ++ if ! egrep -q '^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+\{' $profile ; then + local link="${PROFILE_DIR}/force-complain/`basename ${profile}`" + if [ -e "$link" ] ; then + aa_log_warning_msg "found $link, forcing complain mode" +diff --git a/parser/tst/caching.py b/parser/tst/caching.py +index 6d07b696..ad8a1be0 100755 +--- a/parser/tst/caching.py ++++ b/parser/tst/caching.py +@@ -137,7 +137,7 @@ class AAParserCachingCommon(testlib.AATestTemplate): + with open(features_path) as f: + features = f.read() + if expected: +- self.assertEquals(expected_output, features, ++ self.assertEqual(expected_output, features, + "features contents differ, expected:\n%s\nresult:\n%s" % (expected_output, features)) + else: + self.assertNotEquals(expected_output, features, +@@ -269,7 +269,7 @@ class AAParserCachingTests(AAParserCachingCommon): + if (int(major) < 3) or ((int(major) == 3) and (int(minor) <= 2)): + self.assertAlmostEquals(time1, time2, places=5) + else: +- self.assertEquals(time1, time2) ++ self.assertEqual(time1, time2) + + def _set_mtime(self, path, mtime): + atime = os.stat(path).st_atime +@@ -370,7 +370,7 @@ class AAParserCachingTests(AAParserCachingCommon): + # in cache_contents because of the difficulty coercing cache + # file bytes into strings in python3 + self.assertNotEquals(orig_stat.st_size, stat.st_size, 'Expected cache file to be updated, size is not changed.') +- self.assertEquals(os.stat(self.profile).st_mtime, stat.st_mtime) ++ self.assertEqual(os.stat(self.profile).st_mtime, stat.st_mtime) + + def test_cache_writing_clears_all_files(self): + '''test cache writing clears all cache files''' +@@ -388,7 +388,7 @@ class AAParserCachingTests(AAParserCachingCommon): + self._set_mtime(self.abstraction, 0) + self._set_mtime(self.profile, expected) + self._generate_cache_file() +- self.assertEquals(expected, os.stat(self.cache_file).st_mtime) ++ self.assertEqual(expected, os.stat(self.cache_file).st_mtime) + + def test_abstraction_mtime_preserved(self): + '''test abstraction mtime is preserved when it is newest''' +@@ -396,7 +396,7 @@ class AAParserCachingTests(AAParserCachingCommon): + self._set_mtime(self.profile, 0) + self._set_mtime(self.abstraction, expected) + self._generate_cache_file() +- self.assertEquals(expected, os.stat(self.cache_file).st_mtime) ++ self.assertEqual(expected, os.stat(self.cache_file).st_mtime) + + def test_equal_mtimes_preserved(self): + '''test equal profile and abstraction mtimes are preserved''' +@@ -404,7 +404,7 @@ class AAParserCachingTests(AAParserCachingCommon): + self._set_mtime(self.profile, expected) + self._set_mtime(self.abstraction, expected) + self._generate_cache_file() +- self.assertEquals(expected, os.stat(self.cache_file).st_mtime) ++ self.assertEqual(expected, os.stat(self.cache_file).st_mtime) + + def test_profile_newer_skips_cache(self): + '''test cache is skipped if profile is newer''' +@@ -420,9 +420,9 @@ class AAParserCachingTests(AAParserCachingCommon): + self.run_cmd_check(cmd, expected_string='Replacement succeeded for') + + stat = os.stat(self.cache_file) +- self.assertEquals(orig_stat.st_size, stat.st_size) +- self.assertEquals(orig_stat.st_ino, stat.st_ino) +- self.assertEquals(orig_stat.st_mtime, stat.st_mtime) ++ self.assertEqual(orig_stat.st_size, stat.st_size) ++ self.assertEqual(orig_stat.st_ino, stat.st_ino) ++ self.assertEqual(orig_stat.st_mtime, stat.st_mtime) + + def test_abstraction_newer_skips_cache(self): + '''test cache is skipped if abstraction is newer''' +@@ -438,9 +438,9 @@ class AAParserCachingTests(AAParserCachingCommon): + self.run_cmd_check(cmd, expected_string='Replacement succeeded for') + + stat = os.stat(self.cache_file) +- self.assertEquals(orig_stat.st_size, stat.st_size) +- self.assertEquals(orig_stat.st_ino, stat.st_ino) +- self.assertEquals(orig_stat.st_mtime, stat.st_mtime) ++ self.assertEqual(orig_stat.st_size, stat.st_size) ++ self.assertEqual(orig_stat.st_ino, stat.st_ino) ++ self.assertEqual(orig_stat.st_mtime, stat.st_mtime) + + def test_profile_newer_rewrites_cache(self): + '''test cache is rewritten if profile is newer''' +diff --git a/profiles/apparmor.d/abstractions/dbus-network-manager-strict b/profiles/apparmor.d/abstractions/dbus-network-manager-strict +new file mode 100644 +index 00000000..889a9a85 +--- /dev/null ++++ b/profiles/apparmor.d/abstractions/dbus-network-manager-strict +@@ -0,0 +1,45 @@ ++# vim:syntax=apparmor ++ ++ dbus send ++ bus=system ++ path=/org/freedesktop/NetworkManager ++ interface=org.freedesktop.DBus.Properties ++ member=GetAll ++ peer=(name=org.freedesktop.NetworkManager), ++ ++ dbus send ++ bus=system ++ path=/org/freedesktop/NetworkManager ++ interface=org.freedesktop.NetworkManager ++ member=GetDevices ++ peer=(name=org.freedesktop.NetworkManager), ++ ++ dbus send ++ bus=system ++ path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* ++ interface=org.freedesktop.DBus.Properties ++ member=GetAll ++ peer=(name=org.freedesktop.NetworkManager), ++ ++ dbus send ++ bus=system ++ path=/org/freedesktop/NetworkManager/Devices/[0-9]* ++ interface=org.freedesktop.DBus.Properties ++ member=GetAll ++ peer=(name=org.freedesktop.NetworkManager), ++ ++ dbus send ++ bus=system ++ path=/org/freedesktop/NetworkManager/Settings ++ interface=org.freedesktop.NetworkManager.Settings ++ member={GetDevices,ListConnections} ++ peer=(name=org.freedesktop.NetworkManager), ++ ++ dbus send ++ bus=system ++ path=/org/freedesktop/NetworkManager/Settings/[0-9]* ++ interface=org.freedesktop.NetworkManager.Settings.Connection ++ member=GetSettings ++ peer=(name=org.freedesktop.NetworkManager), ++ ++ #include if exists +diff --git a/profiles/apparmor.d/abstractions/exo-open b/profiles/apparmor.d/abstractions/exo-open +new file mode 100644 +index 00000000..6b14afa5 +--- /dev/null ++++ b/profiles/apparmor.d/abstractions/exo-open +@@ -0,0 +1,74 @@ ++# vim:syntax=apparmor ++ ++# This abstraction is designed to be used in a child profile to limit what ++# confined application can invoke via exo-open helper. ++# ++# NOTE: most likely you want to use xdg-open abstraction instead for better ++# portability across desktop environments, unless you are sure that confined ++# application only uses /usr/bin/exo-open directly. ++# ++# Usage example: ++# ++# ``` ++# profile foo /usr/bin/foo { ++# ... ++# /usr/bin/exo-open rPx -> foo//exo-open, ++# ... ++# } # end of main profile ++# ++# # out-of-line child profile ++# profile foo//exo-open { ++# #include ++# ++# # needed for ubuntu-* abstractions ++# #include ++# ++# # Only allow to handle http[s]: and mailto: links ++# #include ++# #include ++# ++# # Add if accesibility access is considered as required ++# # (for message boxe in case exo-open fails) ++# #include ++# ++# # < add additional allowed applications here > ++# } ++ ++ #include ++ #include # for alert messages ++ #include ++ #include ++ #include ++ ++ # Main executables ++ ++ /usr/bin/exo-open rix, ++ /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, ++ ++ # Other executables ++ ++ /{,usr/}bin/which rix, ++ ++ # Deny DBus ++ ++ # for GTK error message dialog, not required exo-open to work. ++ deny dbus send ++ bus=session ++ path=/org/gtk/vfs/mounttracker, ++ ++ # System files ++ ++ /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, ++ /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction? ++ /usr/share/sounds/freedesktop/** r, # for message box alert sound ++ /usr/share/xfce4/helpers/*.desktop r, ++ /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r, ++ ++ # User files ++ ++ owner @{PROC}/@{pid}/fd/ r, ++ owner @{HOME}/.config/xfce4/helpers.rc r, ++ owner @{HOME}/.local/share/xfce4/helpers/*.desktop r, ++ ++ # Include additions to the abstraction ++ #include if exists +diff --git a/profiles/apparmor.d/abstractions/gio-open b/profiles/apparmor.d/abstractions/gio-open +new file mode 100644 +index 00000000..ec6b1873 +--- /dev/null ++++ b/profiles/apparmor.d/abstractions/gio-open +@@ -0,0 +1,57 @@ ++# vim:syntax=apparmor ++ ++# This abstraction is designed to be used in a child profile to limit what ++# confined application can invoke via gio helper. ++# ++# NOTE: most likely you want to use xdg-open abstraction instead for better ++# portability across desktop environments, unless you are sure that confined ++# application only uses /usr/bin/gio directly. ++# ++# Usage example: ++# ++# ``` ++# profile foo /usr/bin/foo { ++# ... ++# /usr/bin/gio rPx -> foo//gio-open, ++# ... ++# } # end of main profile ++# ++# # out-of-line child profile ++# profile foo//gio-open { ++# #include ++# ++# # needed for ubuntu-* abstractions ++# #include ++# ++# # Only allow to handle http[s]: and mailto: links ++# #include ++# #include ++# ++# # < add additional allowed applications here > ++# } ++ ++ #include ++ #include ++ ++ # Main executables ++ ++ /usr/bin/gio rix, ++ /usr/bin/gio-launch-desktop ix, # for OpenSUSE ++ /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, ++ ++ # System files ++ ++ /etc/gnome/defaults.list r, ++ /usr/share/mime/* r, ++ /usr/share/{,*/}applications/{,**} r, ++ /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, ++ /var/lib/snapd/desktop/applications/{,**} r, ++ ++ # User files ++ ++ owner @{HOME}/.config/mimeapps.list r, ++ owner @{HOME}/.local/share/applications/{,*.desktop} r, ++ owner @{PROC}/@{pid}/fd/ r, ++ ++ # Include additions to the abstraction ++ #include if exists +diff --git a/profiles/apparmor.d/abstractions/gvfs-open b/profiles/apparmor.d/abstractions/gvfs-open +new file mode 100644 +index 00000000..397423da +--- /dev/null ++++ b/profiles/apparmor.d/abstractions/gvfs-open +@@ -0,0 +1,45 @@ ++# vim:syntax=apparmor ++ ++# This abstraction is designed to be used in a child profile to limit what ++# confined application can invoke via gvfs-open helper. ++# ++# NOTE: most likely you want to use xdg-open abstraction instead for better ++# portability across desktop environments, unless you are sure that confined ++# application only uses /usr/bin/gvfs-open directly. ++# ++# Usage example: ++# ++# ``` ++# profile foo /usr/bin/foo { ++# ... ++# /usr/bin/gvfs-open rPx -> foo//gvfs-open, ++# ... ++# } # end of main profile ++# ++# # out-of-line child profile ++# profile foo//gvfs-open { ++# #include ++# ++# # needed for ubuntu-* abstractions ++# #include ++# ++# # Only allow to handle http[s]: and mailto: links ++# #include ++# #include ++# ++# # < add additional allowed applications here > ++# } ++# ``` ++ ++ #include ++ ++ # gvfs-open is deprecated, it launches gio open ++ #include ++ ++ # Main executables ++ ++ /usr/bin/gvfs-open r, ++ /{,usr/}bin/dash mr, ++ ++ # Include additions to the abstraction ++ #include if exists +diff --git a/profiles/apparmor.d/abstractions/kde-open5 b/profiles/apparmor.d/abstractions/kde-open5 +new file mode 100644 +index 00000000..4fb651ea +--- /dev/null ++++ b/profiles/apparmor.d/abstractions/kde-open5 +@@ -0,0 +1,104 @@ ++# vim:syntax=apparmor ++ ++# This abstraction is designed to be used in a child profile to limit what ++# confined application can invoke via kde-open5 helper. ++# ++# NOTE: most likely you want to use xdg-open abstraction instead for better ++# portability across desktop environments, unless you are sure that confined ++# application only uses /usr/bin/kde-open5 directly. ++# ++# Usage example: ++# ++# ``` ++# profile foo /usr/bin/foo { ++# ... ++# /usr/bin/kde-open5 rPx -> foo//kde-open5, ++# ... ++# } # end of main profile ++# ++# # out-of-line child profile ++# profile foo//kde-open5 { ++# #include ++# ++# # needed for ubuntu-* abstractions ++# #include ++# ++# # Only allow to handle http[s]: and mailto: links ++# #include ++# #include ++# ++# # Add if accesibility access is considered as required ++# # (for message boxe in case exo-open fails) ++# #include ++# ++# # Add if audio support for message box is ++# # considered as required. ++# #include if exists ++# ++# # < add additional allowed applications here > ++# } ++# ``` ++ ++ #include # for alert messages ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include # for IceProcessMessages () from libICE.so (called by libQtCore.so) ++ #include ++ #include ++ #include ++ #include ++ ++ # Main executables ++ ++ /usr/bin/kde-open5 rix, ++ /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix, ++ ++ # DBus ++ ++ dbus ++ bus=session ++ interface=org.kde.KLauncher ++ member=start_service_by_desktop_path ++ peer=(name=org.kde.klauncher5), ++ ++ # Denied system files ++ ++ deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109 ++ ++ # libpcre2 on openSUSE tries to mmap() shared memory on directory. ++ # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html ++ # AppArmor does not allow to distinguish "real" file vs shared memory one, ++ # so we deny this path to protect from loading exploits from /tmp. ++ deny /tmp/#[0-9]*[0-9] m, ++ ++ # System files ++ ++ /dev/tty r, ++ /etc/xdg/accept-languages.codes r, ++ /etc/xdg/menus/{,*/} r, ++ /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box ++ /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box ++ /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so ++ /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE ++ /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so ++ /usr/share/mime/ r, ++ /usr/share/mime/generic-icons r, ++ /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? ++ /usr/share/sounds/ r, ++ @{PROC}/sys/kernel/core_pattern r, ++ @{PROC}/sys/kernel/random/boot_id r, ++ ++ # User files ++ ++ owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so ++ owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13 ++ owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) ++ owner @{HOME}/.cache/kio_http/ rw, ++ ++ # Include additions to the abstraction ++ #include if exists +diff --git a/profiles/apparmor.d/abstractions/mdns b/profiles/apparmor.d/abstractions/mdns +index e05ef3a4..14c31b8c 100644 +--- a/profiles/apparmor.d/abstractions/mdns ++++ b/profiles/apparmor.d/abstractions/mdns +@@ -9,5 +9,6 @@ + # ------------------------------------------------------------------ + + # mdnsd ++ /etc/mdns.allow r, + /etc/nss_mdns.conf r, + /{,var/}run/mdnsd w, +diff --git a/profiles/apparmor.d/abstractions/mesa b/profiles/apparmor.d/abstractions/mesa +index 68e7579e..be699c77 100644 +--- a/profiles/apparmor.d/abstractions/mesa ++++ b/profiles/apparmor.d/abstractions/mesa +@@ -4,6 +4,10 @@ + # System files + /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() + ++ # Needed to check if the kernel supports the i915 perf interface ++ # (src/intel/perf/gen_perf.c, load_oa_metrics()) ++ @{PROC}/sys/dev/i915/perf_stream_paranoid r, ++ + # User files + owner @{HOME}/.cache/ w, # if user clears all caches + owner @{HOME}/.cache/mesa_shader_cache/ w, +diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice +index ef2c5b2e..a78a874d 100644 +--- a/profiles/apparmor.d/abstractions/nameservice ++++ b/profiles/apparmor.d/abstractions/nameservice +@@ -29,6 +29,11 @@ + /var/lib/extrausers/group r, + /var/lib/extrausers/passwd r, + ++ # NSS records from systemd-userdbd.service ++ @{run}/systemd/userdb/ r, ++ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, ++ @{PROC}/sys/kernel/random/boot_id r, ++ + # When using sssd, the passwd and group files are stored in an alternate path + # and the nss plugin also needs to talk to a pipe + /var/lib/sss/mc/group r, +diff --git a/profiles/apparmor.d/abstractions/xdg-open b/profiles/apparmor.d/abstractions/xdg-open +new file mode 100644 +index 00000000..531022e3 +--- /dev/null ++++ b/profiles/apparmor.d/abstractions/xdg-open +@@ -0,0 +1,84 @@ ++# vim:syntax=apparmor ++ ++# This abstraction is designed to be used in a child profile to limit what ++# confined application can invoke via xdg-open helper. xdg-open abstraction ++# will allow to use gio-open, kde-open5 and other helpers of the different ++# desktop environments. ++# ++# Usage example: ++# ++# ``` ++# profile foo /usr/bin/foo { ++# ... ++# /usr/bin/xdg-open rPx -> foo//xdg-open, ++# ... ++# } # end of main profile ++# ++# # out-of-line child profile ++# profile foo//xdg-open { ++# #include ++# ++# # Enable a11y support if considered required by ++# # profile author for (rare) error message boxes. ++# #include ++# ++# # Enable gstreamer support if considered required by ++# # profile author for (rare) error message boxes. ++# #include if exists ++# ++# # needed for ubuntu-* abstractions ++# #include ++# ++# # Only allow to handle http[s]: and mailto: links ++# #include ++# #include ++# ++# # < add additional allowed applications here > ++# } ++# ``` ++ ++ #include ++ ++ # for openin with `exo-open` ++ #include ++ ++ # for opening with `gio open ` ++ #include ++ ++ # for opening with gvfs-open (deprecated) ++ #include ++ ++ # for opening with kde-open5 ++ #include ++ ++ # Main executables ++ ++ /{,usr/}bin/{b,d}ash mr, ++ /usr/bin/xdg-open r, ++ ++ # Additional executables ++ ++ /usr/bin/xdg-mime rix, ++ /{,usr/}bin/cut rix, # for xdg-mime ++ /{,usr/}bin/head rix, # for xdg-mime ++ /{,usr/}bin/sed rix, # for xdg-open ++ /{,usr/}bin/tr rix, # for xdg-mime ++ /{,usr/}bin/which rix, # for xdg-open ++ /{,usr/}bin/{grep,egrep} rix, # for xdg-open ++ ++ # System files ++ ++ /dev/pts/[0-9]* rw, ++ /dev/tty w, ++ /etc/gnome/defaults.list r, # for grep ++ /usr/share/applications/mimeinfo.cache r, # for grep ++ /usr/share/terminfo/s/screen r, # for bash on openSUSE ++ /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime ++ /var/lib/menu-xdg/applications/ r, # for xdg-mime ++ ++ # Usr files ++ ++ owner @{HOME}/.local/share/applications/{,*.desktop} r, ++ ++ # Include additions to the abstraction ++ #include if exists +diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global +index 28d6fc6d..3b6f99cc 100644 +--- a/profiles/apparmor.d/tunables/global ++++ b/profiles/apparmor.d/tunables/global +@@ -19,3 +19,4 @@ + #include + #include + #include ++#include +diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run +new file mode 100644 +index 00000000..5b81925e +--- /dev/null ++++ b/profiles/apparmor.d/tunables/run +@@ -0,0 +1 @@ ++@{run}=/run/ /var/run/ +diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq +index 14ad664b..f2b5ca18 100644 +--- a/profiles/apparmor.d/usr.sbin.dnsmasq ++++ b/profiles/apparmor.d/usr.sbin.dnsmasq +@@ -42,6 +42,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { + + owner /dev/tty rw, + ++ @{PROC}/@{pid}/fd/ r, ++ + /etc/dnsmasq.conf r, + /etc/dnsmasq.d/ r, + /etc/dnsmasq.d/* r, +diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd +index 9f78e8c7..0313ec98 100644 +--- a/profiles/apparmor.d/usr.sbin.winbindd ++++ b/profiles/apparmor.d/usr.sbin.winbindd +@@ -25,7 +25,7 @@ profile winbindd /usr/{bin,sbin}/winbindd { + /usr/lib*/samba/nss_info/*.so mr, + /usr/lib*/samba/pdb/*.so mr, + /usr/{bin,sbin}/winbindd mr, +- /var/cache/krb5rcache/* rw, ++ /var/cache/krb5rcache/* rwk, + /var/cache/samba/*.tdb rwk, + /var/log/samba/log.winbindd rw, + /{var/,}run/samba/winbindd.pid rwk, +diff --git a/utils/Makefile b/utils/Makefile +index 68f8c376..ea9e0601 100644 +--- a/utils/Makefile ++++ b/utils/Makefile +@@ -80,7 +80,7 @@ clean: pod_clean + .SILENT: check_severity_db + check_severity_db: /usr/include/linux/capability.h severity.db + # The sed statement is based on the one in the parser's makefile +- RC=0 ; for cap in ${CAPABILITIES} ; do \ ++ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \ + if ! grep -q -w $${cap} severity.db ; then \ + echo "Warning! capability $${cap} not found in severity.db" ; \ + RC=1 ; \ +diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py +index 3b5ad68f..5423497e 100644 +--- a/utils/apparmor/aa.py ++++ b/utils/apparmor/aa.py +@@ -559,8 +559,7 @@ def get_profile(prof_name): + p = profile_hash[options[arg]] + q.selected = options.index(options[arg]) + if ans == 'CMD_VIEW_PROFILE': +- pager = get_pager() +- subprocess.call([pager, orig_filename]) ++ aaui.UI_ShowFile(uname, orig_filename) + elif ans == 'CMD_USE_PROFILE': + if p['profile_type'] == 'INACTIVE_LOCAL': + profile_data = p['profile_data'] +@@ -1952,6 +1951,10 @@ def collapse_log(): + for aamode in prelog.keys(): + for profile in prelog[aamode].keys(): + for hat in prelog[aamode][profile].keys(): ++ # used to avoid to accidently initialize aa[profile][hat] or calling is_known_rule() on events for a non-existing profile ++ hat_exists = False ++ if aa.get(profile) and aa[profile].get(hat): ++ hat_exists = True + + log_dict[aamode][profile][hat] = ProfileStorage(profile, hat, 'collapse_log()') + +@@ -1977,12 +1980,12 @@ def collapse_log(): + + file_event = FileRule(path, mode, None, FileRule.ALL, owner=owner, log_event=True) + +- if not is_known_rule(aa[profile][hat], 'file', file_event): ++ if not hat_exists or not is_known_rule(aa[profile][hat], 'file', file_event): + log_dict[aamode][profile][hat]['file'].add(file_event) + + for cap in prelog[aamode][profile][hat]['capability'].keys(): + cap_event = CapabilityRule(cap, log_event=True) +- if not is_known_rule(aa[profile][hat], 'capability', cap_event): ++ if not hat_exists or not is_known_rule(aa[profile][hat], 'capability', cap_event): + log_dict[aamode][profile][hat]['capability'].add(cap_event) + + dbus = prelog[aamode][profile][hat]['dbus'] +@@ -2005,20 +2008,21 @@ def collapse_log(): + else: + raise AppArmorBug('unexpected dbus access: %s') + +- log_dict[aamode][profile][hat]['dbus'].add(dbus_event) ++ if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event): ++ log_dict[aamode][profile][hat]['dbus'].add(dbus_event) + + nd = prelog[aamode][profile][hat]['netdomain'] + for family in nd.keys(): + for sock_type in nd[family].keys(): + net_event = NetworkRule(family, sock_type, log_event=True) +- if not is_known_rule(aa[profile][hat], 'network', net_event): ++ if not hat_exists or not is_known_rule(aa[profile][hat], 'network', net_event): + log_dict[aamode][profile][hat]['network'].add(net_event) + + ptrace = prelog[aamode][profile][hat]['ptrace'] + for peer in ptrace.keys(): + for access in ptrace[peer].keys(): + ptrace_event = PtraceRule(access, peer, log_event=True) +- if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event): ++ if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event): + log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event) + + sig = prelog[aamode][profile][hat]['signal'] +@@ -2026,7 +2030,7 @@ def collapse_log(): + for access in sig[peer].keys(): + for signal in sig[peer][access].keys(): + signal_event = SignalRule(access, signal, peer, log_event=True) +- if not is_known_rule(aa[profile][hat], 'signal', signal_event): ++ if not hat_exists or not is_known_rule(aa[profile][hat], 'signal', signal_event): + log_dict[aamode][profile][hat]['signal'].add(signal_event) + + return log_dict +@@ -2098,7 +2102,8 @@ def read_profile(file, active_profile): + try: + with open_file_read(file) as f_in: + data = f_in.readlines() +- except IOError: ++ except IOError as e: ++ aaui.UI_Important('WARNING: Error reading file %s, skipping.\n %s' % (file, e)) + debug_logger.debug("read_profile: can't read %s - skipping" % file) + return None + +diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py +index cdb712f3..58ff8ced 100644 +--- a/utils/apparmor/ui.py ++++ b/utils/apparmor/ui.py +@@ -254,13 +254,16 @@ def UI_Changes(oldprofile, newprofile, comments=False): + else: + difftemp = generate_diff_with_comments(oldprofile, newprofile) + header = 'View Changes with comments' ++ UI_ShowFile(header, difftemp.name) ++ difftemp.close() ++ ++def UI_ShowFile(header, filename): + if UI_mode == 'json': +- jsonout = {'dialog': 'changes', 'header':header, 'filename': difftemp.name} ++ jsonout = {'dialog': 'changes', 'header': header, 'filename': filename} + write_json(jsonout) +- json_response('changes')["response"] # wait for response to delay deletion of difftemp (and ignore response content) ++ json_response('changes')["response"] # wait for response to delay deletion of filename (and ignore response content) + else: +- subprocess.call('less %s' % difftemp.name, shell=True) +- difftemp.close() ++ subprocess.call(['less', filename]) + + CMDS = {'CMD_ALLOW': _('(A)llow'), + 'CMD_OTHER': _('(M)ore'), +diff --git a/utils/test/test-aa-easyprof.py b/utils/test/test-aa-easyprof.py +index ba468f3e..d2057972 100755 +--- a/utils/test/test-aa-easyprof.py ++++ b/utils/test/test-aa-easyprof.py +@@ -1674,7 +1674,7 @@ POLICYGROUPS_DIR="%s/templates" + + # verify we get the same manifest back + man_new = easyp.gen_manifest(params) +- self.assertEquals(m, man_new) ++ self.assertEqual(m, man_new) + + def test_gen_manifest_ubuntu(self): + '''Test gen_manifest (ubuntu)''' +@@ -1714,7 +1714,7 @@ POLICYGROUPS_DIR="%s/templates" + + # verify we get the same manifest back + man_new = easyp.gen_manifest(params) +- self.assertEquals(m, man_new) ++ self.assertEqual(m, man_new) + + def test_parse_manifest_no_version(self): + '''Test parse_manifest (vendor with no version)''' +diff --git a/utils/test/test-network.py b/utils/test/test-network.py +index 8605786d..73a6b9d1 100644 +--- a/utils/test/test-network.py ++++ b/utils/test/test-network.py +@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', + + class NetworkKeywordsTest(AATest): + def test_network_keyword_list(self): +- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) ++ rc, output = cmd('../../common/list_af_names.sh') + self.assertEqual(rc, 0) + + af_names = [] +diff --git a/utils/vim/Makefile b/utils/vim/Makefile +index 9ffc301e..7d107dd0 100644 +--- a/utils/vim/Makefile ++++ b/utils/vim/Makefile +@@ -9,7 +9,7 @@ VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor + all: apparmor.vim manpages htmlmanpages + + apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py +- ${PYTHON} create-apparmor.vim.py > apparmor.vim ++ ${PYTHON} create-apparmor.vim.py > apparmor.vim || { rm -f apparmor.vim ; exit 1; } + + manpages: $(MANPAGES) + +diff --git a/utils/vim/apparmor.vim.in b/utils/vim/apparmor.vim.in +index 6451aa08..e2677d83 100644 +--- a/utils/vim/apparmor.vim.in ++++ b/utils/vim/apparmor.vim.in +@@ -113,7 +113,7 @@ syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as er + " TODO: make a separate pattern for variable definitions, then mark sdGlob as contained + syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/ + +-syn match sdAlias /\v^alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment ++syn match sdAlias /\v^\s*alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment + + " syn match sdComment /#.*/ + +@@ -186,6 +186,8 @@ syn match sdComment /\s*#.*$/ + " NOTE: Comment highlighting still works without contains=sdComment. + syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $ + syn match sdInclude /\s*include\s<\S*>/ " TODO: doesn't check until $ ++syn match sdInclude /\s*#include\sif\sexists\s<\S*>/ " TODO: doesn't check until $ ++syn match sdInclude /\s*include\sif\sexists\s<\S*>/ " TODO: doesn't check until $ + + " basic profile block... + " \s+ does not work in end=, therefore using \s\s* +diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py +index 10bd5b8d..8a17bb43 100644 +--- a/utils/vim/create-apparmor.vim.py ++++ b/utils/vim/create-apparmor.vim.py +@@ -42,24 +42,24 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s + # Handle redirection of stderr + if outerr is None: + outerr = '' +- return [sp.returncode, out + outerr] ++ return [sp.returncode, out, outerr] + + # get capabilities list +-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities']) ++(rc, output, outerr) = cmd(['../../common/list_capabilities.sh']) + if rc != 0: +- sys.stderr.write("make list_capabilities failed: " + output) ++ sys.stderr.write("make list_capabilities failed: " + output + outerr) + exit(rc) + +-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ") ++capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n') + benign_caps = [] + for cap in capabilities: + if cap not in danger_caps: + benign_caps.append(cap) + + # get network protos list +-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) ++(rc, output, outerr) = cmd(['../../common/list_af_names.sh']) + if rc != 0: +- sys.stderr.write("make list_af_names failed: " + output) ++ sys.stderr.write("make list_af_names failed: " + output + outerr) + exit(rc) + + af_names = [] diff --git a/make-4.3-capabilities-vim.diff b/make-4.3-capabilities-vim.diff deleted file mode 100644 index 1d3ffc1..0000000 --- a/make-4.3-capabilities-vim.diff +++ /dev/null @@ -1,26 +0,0 @@ -commit 60b005788e79c1be7276349242e0cc97b99f7118 -Author: Christian Boltz -Date: Sun Mar 29 00:07:11 2020 +0100 - - fix capabilities in apparmor.vim - - https://gitlab.com/apparmor/apparmor/-/merge_requests/461 / - e92da079ca12e776991bd36524430bd67c1cb72a changed creating the - capabilities to use a script. - - A side effect is that the list is now separated by \n instead of - spaces. Adjust create-apparmor.vim.py to the new output. - -diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py -index 6a5f02a2..b5df957a 100644 ---- a/utils/vim/create-apparmor.vim.py -+++ b/utils/vim/create-apparmor.vim.py -@@ -50,7 +50,7 @@ if rc != 0: - sys.stderr.write("make list_capabilities failed: " + output) - exit(rc) - --capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ") -+capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n') - benign_caps = [] - for cap in capabilities: - if cap not in danger_caps: diff --git a/make-4.3-capabilities.diff b/make-4.3-capabilities.diff deleted file mode 100644 index d726051..0000000 --- a/make-4.3-capabilities.diff +++ /dev/null @@ -1,94 +0,0 @@ -commit e92da079ca12e776991bd36524430bd67c1cb72a -Author: allgdante -Date: Mon Mar 23 15:09:15 2020 +0000 - - Generate CAPABILITIES in a script due to make 4.3 - - This way we could generate the capabilities in a way that works with - every version of make. - Changes to list_capabilities are intended to exactly replicate the old - behavior. - -diff --git a/common/Make.rules b/common/Make.rules -index 357bdec8..ecc6181a 100644 ---- a/common/Make.rules -+++ b/common/Make.rules -@@ -74,19 +74,6 @@ endif - pod_clean: - -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp - --# ===================== --# generate list of capabilities based on --# /usr/include/linux/capabilities.h for use in multiple locations in --# the source tree --# ===================== -- --# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2" --CAPABILITIES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort) -- --.PHONY: list_capabilities --list_capabilities: /usr/include/linux/capability.h -- @echo "$(CAPABILITIES)" -- - # ===================== - # manpages - # ===================== -diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh -new file mode 100755 -index 00000000..4e37cda7 ---- /dev/null -+++ b/common/list_capabilities.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -e -+ -+# ===================== -+# generate list of capabilities based on -+# /usr/include/linux/capabilities.h for use in multiple locations in -+# the source tree -+# ===================== -+ -+echo "#include " | \ -+ cpp -dM | \ -+ LC_ALL=C sed -n \ -+ -e '/CAP_EMPTY_SET/d' \ -+ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \ -+ LC_ALL=C sort -diff --git a/parser/Makefile b/parser/Makefile -index 2d40b06f..a71b5788 100644 ---- a/parser/Makefile -+++ b/parser/Makefile -@@ -284,7 +284,7 @@ af_names.h: ../common/list_af_names.sh - # cat $@ - - cap_names.h: /usr/include/linux/capability.h -- echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@ -+ ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@ - - tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS}) - $(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS) -diff --git a/utils/Makefile b/utils/Makefile -index 8fae738d..80990004 100644 ---- a/utils/Makefile -+++ b/utils/Makefile -@@ -79,7 +79,7 @@ clean: pod_clean - .SILENT: check_severity_db - check_severity_db: /usr/include/linux/capability.h severity.db - # The sed statement is based on the one in the parser's makefile -- RC=0 ; for cap in ${CAPABILITIES} ; do \ -+ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \ - if ! grep -q -w $${cap} severity.db ; then \ - echo "Warning! capability $${cap} not found in severity.db" ; \ - RC=1 ; \ -diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py -index fea134f6..6a5f02a2 100644 ---- a/utils/vim/create-apparmor.vim.py -+++ b/utils/vim/create-apparmor.vim.py -@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s - return [sp.returncode, out + outerr] - - # get capabilities list --(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities']) -+(rc, output) = cmd(['../../common/list_capabilities.sh']) - if rc != 0: - sys.stderr.write("make list_capabilities failed: " + output) - exit(rc) diff --git a/make-4.3-fix-utils-network-test.diff b/make-4.3-fix-utils-network-test.diff deleted file mode 100644 index a923ca7..0000000 --- a/make-4.3-fix-utils-network-test.diff +++ /dev/null @@ -1,24 +0,0 @@ -commit 9144e39d252cd75dd2d6941154e014f7d46147ca -Author: John Johansen -Date: Fri Jun 14 01:04:22 2019 -0700 - - Revert "utils/test-network.py: fix failing testcase" - - This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0. - this commit was meant for the 2.13 branch not master - - Signed-off-by: John Johansen - -diff --git a/utils/test/test-network.py b/utils/test/test-network.py -index 6088327a..ee325abe 100644 ---- a/utils/test/test-network.py -+++ b/utils/test/test-network.py -@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - - class NetworkKeywordsTest(AATest): - def test_network_keyword_list(self): -- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) -+ rc, output = cmd('../../common/list_af_names.sh') - self.assertEqual(rc, 0) - - af_names = [] diff --git a/make-4.3-network.diff b/make-4.3-network.diff deleted file mode 100644 index da2970a..0000000 --- a/make-4.3-network.diff +++ /dev/null @@ -1,126 +0,0 @@ -commit cb8c3377babfed4600446d1f60d53d8e2a581578 -Author: Eric Chiang -Date: Thu Jan 17 11:02:57 2019 -0800 - - *: ensure make apparmor_parser is cached - - This change updates parser/Makefile to respect target dependencies and - not rebuild apparmor_parser if nothing's changed. The goal is to allow - cross-compiled tests #17 to run on a target system without the tests - attempting to rebuild the parser. - - Two changes were made: - - * Generate af_names.h in a script so the script timestamp is compared. - * Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a - - Changes to list_af_names are intended to exactly replicate the old - behavior. - - Signed-off-by: Eric Chiang - -diff --git a/common/Make.rules b/common/Make.rules -index d2149fcd..357bdec8 100644 ---- a/common/Make.rules -+++ b/common/Make.rules -@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include " | cpp -dM | LC_ALL=C - list_capabilities: /usr/include/linux/capability.h - @echo "$(CAPABILITIES)" - --# ===================== --# generate list of network protocols based on --# sys/socket.h for use in multiple locations in --# the source tree --# ===================== -- --# These are the families that it doesn't make sense for apparmor --# to mediate. We use PF_ here since that is what is required in --# bits/socket.h, but we will rewrite these as AF_. -- --FILTER_FAMILIES=PF_UNIX -- --__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') -- --# emits the AF names in a "AF_NAME NUMBER," pattern --AF_NAMES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2) -- --.PHONY: list_af_names --list_af_names: -- @echo "$(AF_NAMES)" -- - # ===================== - # manpages - # ===================== -diff --git a/common/list_af_names.sh b/common/list_af_names.sh -new file mode 100755 -index 00000000..d7987537 ---- /dev/null -+++ b/common/list_af_names.sh -@@ -0,0 +1,19 @@ -+#!/bin/bash -e -+ -+# ===================== -+# generate list of network protocols based on -+# sys/socket.h for use in multiple locations in -+# the source tree -+# ===================== -+ -+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search -+# for "PF_" constants since that is what is required in bits/socket.h, but -+# rewrite as "AF_". -+ -+echo "#include " | \ -+ cpp -dM | \ -+ LC_ALL=C sed -n \ -+ -e '/PF_UNIX/d' \ -+ -e 's/PF_LOCAL/PF_UNIX/' \ -+ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \ -+ sort -n -k2 -diff --git a/parser/Makefile b/parser/Makefile -index 558d9616..9a18f4da 100644 ---- a/parser/Makefile -+++ b/parser/Makefile -@@ -278,10 +278,9 @@ parser_version.h: Makefile - # as well as the filtering that occurs for network protocols that - # apparmor should not mediate. - --.PHONY: af_names.h --af_names.h: -- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@ -- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@ -+af_names.h: ../common/list_af_names.sh -+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@ -+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@ - # cat $@ - - cap_names.h: /usr/include/linux/capability.h -@@ -301,10 +300,7 @@ tests: apparmor_parser ${TESTS} - sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done' - $(Q)$(MAKE) -s -C tst tests - --# always need to rebuild. --.SILENT: $(AAREOBJECT) --.PHONY: $(AAREOBJECT) --$(AAREOBJECT): -+$(AAREOBJECT): FORCE - $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" - - .PHONY: install-rhel4 -@@ -404,3 +400,4 @@ clean: pod_clean - $(MAKE) -s -C po clean - $(MAKE) -s -C tst clean - -+FORCE: -diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py -index 1ea8191d..ca14df5c 100644 ---- a/utils/vim/create-apparmor.vim.py -+++ b/utils/vim/create-apparmor.vim.py -@@ -57,7 +57,7 @@ for cap in capabilities: - benign_caps.append(cap) - - # get network protos list --(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) -+(rc, output) = cmd(['../../common/list_af_names.sh']) - if rc != 0: - sys.stderr.write("make list_af_names failed: " + output) - exit(rc) diff --git a/usr-etc-abstractions-base-nameservice.diff b/usr-etc-abstractions-base-nameservice.diff index fb01a4b..4e23164 100644 --- a/usr-etc-abstractions-base-nameservice.diff +++ b/usr-etc-abstractions-base-nameservice.diff @@ -72,7 +72,7 @@ index ec639cda..4024ba1e 100644 # When using libnss-extrausers, the passwd and group files are merged from # an alternate path -@@ -36,15 +36,15 @@ +@@ -41,15 +41,15 @@ /var/lib/sss/mc/passwd r, /var/lib/sss/pipes/nss rw, @@ -92,7 +92,7 @@ index ec639cda..4024ba1e 100644 # db backend /var/lib/misc/*.db r, # The Name Service Cache Daemon can cache lookups, sometimes leading -@@ -60,14 +60,14 @@ +@@ -65,14 +65,14 @@ # they are available /{usr/,}lib{,32,64}/libnss_*.so* mr, /{usr/,}lib/@{multiarch}/libnss_*.so* mr,