pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- remove dependency on /usr/bin/python3 using

Browse Source 
%python3_fix_shebang macro, [bsc#1212476]

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=423
This commit is contained in:
Christian Boltz 2024-08-22 19:23:03 +00:00 committed by Git OBS Bridge
commit 1776b493ba
27 changed files with 4742 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

4
_multibuild Normal file
View File

@ -0,0 +1,4 @@
<multibuild>
<package>libapparmor</package>
</multibuild>

26
aa-remove-unknown-fix-unconfined.diff Normal file
View File

@ -0,0 +1,26 @@
commit cabd88a94055d2a7b876758d36fe559a6b728f45
Author: Christian Boltz <apparmor@cboltz.de>
Date: Sat May 25 13:12:49 2024 +0200
Fix aa-remove-unknown for 'unconfined' profiles
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
diff --git a/utils/aa-remove-unknown b/utils/aa-remove-unknown
index 0e00d6a03..983d23727 100755
--- a/utils/aa-remove-unknown
+++ b/utils/aa-remove-unknown
@@ -89,7 +89,7 @@ LOADED_PROFILES=$("$PARSER" -N $PROFILE_DIRS) || {
echo "$LOADED_PROFILES" | awk '
BEGIN {
while (getline < "'${PROFILES}'" ) {
- str = sub(/ \((enforce|complain)\)$/, "", $0);
+ str = sub(/ \((enforce|complain|unconfined)\)$/, "", $0);
if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
arr[$str] = $str
}

23
apache-extra-profile-include-if-exists.diff Normal file
View File

@ -0,0 +1,23 @@
Make the <apache2.d> include optional to avoid problems with empty profile dir.
Probably doesn't happen on real systems, but openQA uses an empty profile dir
for some tests.
Note: the patch gets applied before moving the profile to the extra directory
because quilt doesn't run the 'mv' command and therefore fails to patch the
profile at its new location (extra profiles directory)
Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2
===================================================================
--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100
+++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100
@@ -75,7 +75,7 @@ include <tunables/global>
# This directory contains web application
# package-specific apparmor files.
- include <apache2.d>
+ include if exists <apache2.d>
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.apache2.mpm-prefork.apache2>

26
apparmor-enable-precompiled-cache.diff Normal file
View File

@ -0,0 +1,26 @@
Set the cache location to /var/cache/apparmor/ (writeable) and
/usr/share/apparmor/cache/ (packaged precompiled cache).
See boo#1069906 and boo#1074429
Note that Tumbleweed packages don't include precompiled profile cache on
Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
Signed-off by: Christian Boltz <apparmor@cboltz.de>
Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,6 +31,9 @@
## Turn creating/updating of the cache on by default
write-cache
+
+# cache location (cache writes go to the first directory in the list)
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
## Show cache hits
#show-cache

26
apparmor-enable-profile-cache.diff Normal file
View File

@ -0,0 +1,26 @@
Enable caching of profiles.
This speeds up loading the (unchanged) profiles about 20 times.
Upstream doesn't enable caching because the cache directory is not
writeable at the time profiles are loaded in Ubuntu.
See also bnc#689458
Signed-off by: Christian Boltz <apparmor@cboltz.de>
Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,7 +31,7 @@
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
## Turn creating/updating of the cache on by default
-#write-cache
+write-cache
## Show cache hits
#show-cache

57
apparmor-lessopen-profile.patch Normal file
View File

@ -0,0 +1,57 @@
Index: profiles/apparmor.d/usr.bin.lessopen.sh
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200
@@ -0,0 +1,52 @@
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+#include <tunables/global>
+
+/usr/bin/lessopen.sh {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/perl>
+
+ capability dac_override,
+ capability dac_read_search,
+
+ /** rk,
+ /{usr/,}bin/bash mrix,
+ /{usr/,}bin/rpm mrix,
+ /{usr/,}bin/tar mrix,
+ /tmp/less.* rw,
+ /usr/bin/bzip2 mrix,
+ /usr/bin/cabextract mrix,
+ /usr/bin/cat mrix,
+ /usr/bin/colordiff mrix,
+ /usr/bin/dvi2tty mrix,
+ /usr/bin/eqn mrix,
+ /usr/bin/file mrix,
+ /usr/bin/grep mrix,
+ /usr/bin/groff mrix,
+ /usr/bin/grotty mrix,
+ /usr/bin/gzip mrix,
+ /usr/bin/head mrix,
+ /usr/bin/lynx mrix,
+ /usr/bin/mktemp mrix,
+ /usr/bin/nm mrix,
+ /usr/bin/pic mrix,
+ /usr/bin/pdftotext mrix,
+ /usr/bin/ps2ascii mrix,
+ /usr/bin/rm mrix,
+ /usr/bin/seq mrix,
+ /usr/bin/soelim mrix,
+ /usr/bin/tar mrix,
+ /usr/bin/tbl mrix,
+ /usr/bin/troff mrix,
+ /usr/bin/unzip mrix,
+ /usr/bin/unzip-plain mrix,
+ /usr/bin/w3m mrix,
+ /usr/bin/which mrix,
+ /usr/bin/xz mrix,
+
+ include if exists <local/usr.bin.lessopen.sh>
+}

7
apparmor-rpmlintrc Normal file
View File

@ -0,0 +1,7 @@
# .features file for pre-compiled cache
addFilter("hidden-file-or-dir /usr/share/apparmor/cache/[0-9a-f]*.0/.features")
# warnings for the disabled tomcat_apparmor subpackage
# addFilter("devel-file-in-non-devel-package.*/usr/lib63/libJNIChangeHat.so")
# addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so")
# addFilter("shlib-policy-name-error.*libJNIChangeHat0")

3
apparmor-v4.0.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b0d72cedc48e533d189ea415bde721ad597101c77fa398fdd2858ec4f58f7e26
size 6984984

18
apparmor-v4.0.1.tar.gz.asc Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmYYxToaHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuLfBAA1lpdyEcNhLvw0Ff0rkt7
Zoj/TgxYal/6FwuJ10eUnHrZhwGjhiX8zin2gbZaM7X8kscsSwelEqquSliu6lqp
O63B8cGa6/eu0CnJ2s5aLteeEDWqt1SjD9CBufGtTjNpCvSKR59Hl4quj2zwGF8P
+XHAxpnXOzdaxZtbi8h18ehtOxz23A2QJvKJYavIpTNwVPIvwnS2ryKrXnF8NjH+
s89xMc2ZE1JT+bjWA+DwcvjXPGmMBacijbfuKLrV77dYoML2dmPNvDJyuJpnvKQU
5FhfUjUILHmRYZJF5eT9f2KVt6cYzVlIUP9yxjbkrGoaAHGYijcASNZSQeRWvGER
S9T6TW7QO2TzetBT68xstHZBmcSEyKF+uQ9hoJjGAJJo6L1R2SQK8ILg3voyoF48
Hi+Ud5i9w7vF+UFVphVt+904nmruVzJ57oLlDts+q0jEODM6+YwQODgBR4JeXF6T
PJAXKpUBmYc12GzRSu6zlTDQIGJ0LewKtt/u1NLEDym3hWHs/2P2ISAO+/RLDv0U
klc3MndlgH1Ua9Gu6crLg9YrDxIguCooT1GQKnpOiic80n8VgMMViT3FsnMVGtmK
VQ9XVyotbZrni7ctWRywPpQIwZuKEs3J9A3wbCX/fwuKgTiB5XQvl7EHLypAbWUp
6X11aT86R3L9vOckHjywgLY=
=eji6
-----END PGP SIGNATURE-----

3
apparmor-v4.0.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0b847751b8c0e2344169ec2065cad6251063c5c5ff311953e194bbf25686d981
size 6987316

18
apparmor-v4.0.2.tar.gz.asc Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmagRIsaHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLtWbg//brM4s3laj5L+MnsiOeHr
x3V9lC3hM2N1IEMBLuEZLZ6pZg0WKDAyJ93DdBmVrX/xXIw6vPUvWRCW8rGv9JJr
e5KvCI8282gRqvldowc+GX92KuXVTWBafccqlxvfnjLPIjas1/Ft4oubsv5PK97F
ix4wlW6A+/CXNQ3vP2Dbpb/gVsCOwmSLqJUQz3g40PXUdmB6qHaw3XsIBQWUTX91
AIPQ6WA9OEp4kupqTgw0ih/8XsLVzb8xx8v5AzQILy1jEV4E7IIN01nN5dXrj+25
s0kZO1iEctNVgsU3Db7BJMJvAolps1R+c5I6grcS01FaOAwx1TuSacZaDkn+rqpn
mX62UOly3OHAV7WW1X5U/Jt0rqwekH1su1TlI66bqu7OATlfdceLXe0S79U8txEd
1T4iZZEPjflk5YjqNYN/C4nDgbNQ9wTDmnY4Q2+ExJKzv/ddD1ulEMiZAE/skNj2
ztdwB3RZ6aeck0iWuWq/EQsg4c68rnKxwmROzmMuAPtMF3SS1B3CKQDMVib/aJn7
DY+K4aXBMXrt0RTVa1n86/hDorWaJcB3XoVXGTaEAQhxzArVCF7/p3uVpoK0AM/D
VYCta1j6cFupVQAHRR2m2+Y3fOFiFRWY9TPE62TTNKERjLQpA2MujevkQ7UOGnuC
Q6BkrVpPQyVuhIXsP0GkH/c=
=fBvk
-----END PGP SIGNATURE-----

2461
apparmor.changes Normal file
View File

File diff suppressed because it is too large Load Diff

113
apparmor.keyring Normal file
View File

@ -0,0 +1,113 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE
GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc
fcp9zpmKAlNVkx85LtVHxch6eUZapNPwqxKJFiDCrFM/zGk4vbRODy2KO3C8XWiy
gHQEW4mjPEsJw6xhyNC63LpCRol7qQu8j6rLJur7GWzSaLKgcUpDktsMJhNRPmCd
Dzb4mbEsbSmWUZ0C2e4HqTs6yjkc3HCIPCsxi4Y8e55qVJRvmOvlx0vGqfUrZyXD
cUQb8PX02V7sjA1DvE4PnZ8yHj1bS7/Q9x+R5ZjTMkqQ0cYXFnMb8pJ/oZucwl41
RM7Nc57J7XLJmLRv/E7OL4v9DrobIPMOLvAU+PPdYzw+mUZx0jElOo84135nR/0K
EC7twaZxXVfF79iCY3OEhbHlPUH+62ucfcIdiV+TBKMhx70XJb4qDn1iDo2XW++N
8LF+7sZNLJnfJ7QfHUwVodWIXNaMsGOfknrZ4mcYbhETk2t6RpfmWUp61nVGeXgo
t1k3DXH93rFyccnEkGI8Y/+zFNN2QuZUx56kq6OF4Z3bhk7tSwA1/RubDRoNEQgF
94eGrKMgCfHhwPcV6KCtigtmXbdzhFQS5hJkvGOBHhVht9KbMrs9zh4RLQARAQAB
tExBcHBBcm1vciBEZXZlbG9wbWVudCBUZWFtIChBcHBBcm1vciBzaWduaW5nIGtl
eSkgPGFwcGFybW9yQGxpc3RzLnVidW50dS5jb20+iQI9BBMBCgAnBQJVMB6wAhsD
BQkPCZwABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEGaJ5k49NmS7Lp4QAIS3
D070h7N/giZLUsciLedixqLW8bDzDNFLLturd9ng3x3GwEGdEzibh4TASE6fAQAR
x6oW51ndgI5o7ZoNU3I0I/uLPM1B6YscmN9W2SD5oK8uQ7/K5//b8OGLq/cg1ych
O2lAh5jaGAhmfHy1MS4ZPQ9zbuwARddB7ESD81P4XIRvd/XzfsB2xW+k/7IR/P3M
ZQg+GZm6PxgbK6iwlVyWKj1NyTppzxCWu1yljlbq+Noi5LiucbRdG5qCrymnjgwR
kTeFlvBLYP7NDUifP6JsHgxwKbmvrMmFVJTRx2QnsmGv5DA0Evyz8Bof78S4lJQJ
TkfiiBmWUc6VNv3IQ56PqMQ6RlsKdaGUxXlcPekyeWKC5K6r80m8YjJNBQ+RQMlh
OC7AIckqcB/wPk3/iHvuNbJ0oNd/x/BFBgCs1Wlkktah+tc1aYVPvN1MKhChKD++
RJYZE+BzR3HSgwBE2Oth7s53D+7ZZPtQoQvhxgKBLAlO7rvhlZi1G0id2BaAqris
Bwj/zFztNewOFCplM4cIXN2pRthgTJYSv/lCarnHsenTZ9zqqkWj3OsFPcMeWhtI
p3jyHXbGC9PtzodG51Aefmz0TqUwIvQxXQ6gOTVlGxMK64MweypYLxMOh9bQOMpS
29XKiX1dKB9ThjTJ6cDBKS7tnZ3cRxAHD3ZOGtiIiEYEEBEKAAYFAlUwIioACgkQ
gTeYuayTEnF41wCfVgK6+6dvch7YdkxGYOzkyt2G/EEAoIJq94o9guRD5OWVKS6N
gkjXvKQtiQIcBBABCgAGBQJVMCJMAAoJEC8Jno0AXoH0orQP/Rjx0Mdsorjfir+Y
ahNk5g4y4ZH425usPRMxRARNpZeGu58RLWOmSW5Fv//I95V0GnK8vyl5YuquHBJM
BRN4PR1XqHUqXdzG8zPZLG5elcqyV3cs58QSUyO+6Nbh4OY/VxqcawZYFaL5XE8N
y0qo2zeFcACIgsmuPMGBgkB3LAEJQxYZab6n2uIuMnJVai2DSIO5Ql2XC4mrKZOW
2GG6vlvM/MmrKKD+gFKCoGvoea9wYYb/3Lu/DU7nARGcCYyvX2zRTuasUO95Anm5
zYxeXMvSJEq36U+xPLliTcT+bZrzf/dK93SSi/B6txYdM1KQhU0/vLQtdtDDQPFO
edvHIVo+UFrve/lNYSmNEcjgd7iAGwFPe7y6dAQs3KQvE70g10KuSVQuYqSVHJ7t
AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f
/BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82
vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc
pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX
eNk5l60Ensk0WWA/sz1732WzhTtRiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRRDVUFCRECIiUACgkQ
ZonmTj02ZLsLKg/9FOHsQ9aab5nZd3UfHxT3YTC73wkRIkKtoO1Y3Sv4pHzMr3CP
AV9Z+5YA8rUGyaSB14AFyVKjCswv3Rymd3IV+i2UYO9RwUpv3nM+adumIRga/mXp
yMwARcsRhlrrsUQL0H8R868Z/Pmq7yQw60/0jUXC/O+BJwD0xtTe/oIOwc7oyCDL
oOX8R0XcuVcnoDn0Mc27hFV1xK3iz5c0LtqTLLW20I3YqIVPdiF52SAwFo57xNZ7
ntIvhntEHvhTzSD/BtiTNolhxf3C/pm/tmkgZ1CbkZn/TmXGEibHauP6Q9l1T7y9
HkrPrq89c6kRVDnl6k3/W8f38ocat6U2xBcRQYtcLPvns3VpLIcLge1E2k0C7pYT
KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC
qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl
9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv
YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi
u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttGJAlQE
EwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQQ+zcul+zTSVJYcxT9m
ieZOPTZkuwUCZqBB6wUJFxO9uwAKCRBmieZOPTZku9aiEACv1PUxGDIQGJsbLhQE
rDVW7zKReA7tuRB8x2b3oqZmDom0Myf4ARrh7ELDemLU1FwlWxV6UAl0fDiKY7X1
gAyFuWZzjqj7R79OruE2UoQHgkrmi+EqUhBTDL3Nmx3aStPSZ+Oo8vgbPcEks+Do
9TJUOTLHV5VM7RnHUNtQgIk/MoxsRngCldk8tKua8GYT29JBrtNxuSshbzzfv9c7
J22PO0D8HTSNJuuWNVZSAwo0GdcyRSagi4xx++55deGwaKIf7Q4tU0SWXiAdVqdr
V+6QfEE1NSqvE6ELLDnVIErez7zHYi4cqmlwnD0CXtIxBV6xugbpKYTKU7CjwYAd
kVreSixvp1mHM+6BP1UBBF1UUzRTpm5gKkhFF/sztJuZdbYrQF7k4eOR5cvsA61i
DVdI78Xx4WDb4XBQy1KilKeQPjjGuDOWt96wBVQ147jiZ7LeOipgZhtKMda7JA/M
1epZo4OYi/272esCrlAiniEyTRwiwzJ0IyVHtUDgpZaYwmBEqsLWysMTqEPqhl28
XS9JiEBuL2FM9SZCoebncCE0eXduB6jdqxYTLjmSi4d1UgPrkRPoQpqbjKzUWd6H
wkSAaYc4eoavOU5vzY0Pc0J8iuVkeSkLkCv1Ryt9Lw3boeljopzb0ETCtoPwx7TS
4kxiFLSwRVUMp08RVfFRZ1RUTbkCDQRVMB6wARAAs6tnA4eYBh+NfT8CBppMWK2V
slYJZlzyP+LH/3QKsq6/xUZEjVvlWc8P8i1XwOM1vbbWEXibJhSql6UqBfHIuUX2
X9X22vcb+COceFgRjXGlGc3Spu7zFv63iUQ7DcO3+s7y/VZVFLZS/JUp7Dm2xMgq
yPKDFMCc7vKIxTIlH0X5kNCEK2AvIRYJjJJJ7BuoEE6ykl98Q5hT3gGjddUwNfbY
Zvhq3BGyrwzIkuURhvduC5s/uuwvoZinOh0bwz5Daeqaw5ojIi5Arp+qkEAuW43T
t8ipRLocXjXDQMSiBKb+UssvYBF10/A3i0JrrUhx29UmEjAeps1+2/t8LZGvhLgs
FpN1a7raThw9BwiTDLcWy67ZcqvL/t5vL/bcnzQVWnhckeyBLfXIhoiHuXjcPEdx
NwURhCFuwAbOea5wOO5plTupwRqvFTK4iwnlUjuyPw/vXp0r3E54O/DyvfYgVu3u
oGxrRlFy6b8f27utR6UK5xuA1lSe45Oltm20i3JU/A8CQ0IjfqaGpjbqEI6gFsa8
bGDzUbHOv0aNCyTFwJHNMUKkobV5dqXQnSa6I/IF6t4tx6UHw2a48zW1tNoDDR0g
keUKZhkuFKy/Hsftw2JxlGYf0sTFVVW0UOHT2zuck28A3WkJAHpwOhWo+JTO0o7+
E6Ihui3enOlDFNQeQlUAEQEAAYkCJQQYAQoADwUCVTAesAIbDAUJDwmcAAAKCRBm
ieZOPTZkuy38D/9DPpE4eW74suK6+jrQlJ3f6gqG/wwS5Gwmx6xGc//tslEGtSEv
dwYyq1Nrpg/wnDBFNBespbR6+0LRbn1hJHM9R730a7th9Qd66zca9XGm9HpOyvuO
eoDeTrNv4z/9S+AbAIwD4otcLYaR+fc/Jt99y9rg55JHfHFE2iFvkwTxtsDdgjif
j4MnfUgGqqVRZjtAqC4VosciuNjiU25tdksnlKtlZVV/r/ktq6peuEWSSPSnJzf9
+pFgIDHQ7gqWvFxIST9g8QvEHBcnbj+/2XWCWTVrop8ulT/hym5T+iJp3OsY8x10
kGrg7KeYVLsc/mi2gCUktcgQNt5X3YX/mH7uK7jBhSAnR1wJEVwbdiRSFbJLd3C/
7QazRJA4tCRuhc2AEvYCySMr5SZRJYF1xdDmZetJI4dueMUQxB+UPP7KQQ3c8NBZ
B0t4T1ozN7A0kmbl/WAGQ88NMEBjOrJeMvgV/CNiXq4RfUiEutOjQGk/tOpDh+cG
uEudbulzflHV6F2ul0qP36oVR7f+TLtQPdIDJAOuY4tF/l7v2KKN1ItU8efOLarR
yRZw0GuMCW5owe7s6m6ZJO8ShSCNb4C2skvDJBb4PpZ5o74K/73tIaB2Z1Qks5nf
ZGYBpCkH02hhSGUXNuA+OLXCC9SttAfnLJEaoaXnuxBmm2u7Gs3aVZNwNIkCPAQY
AQoAJgIbDBYhBD7Ny6X7NNJUlhzFP2aJ5k49NmS7BQJkUQ2jBQkRAiJzAAoJEGaJ
5k49NmS7jt4QALbK94RIgZOcBzIlbTjqKAgrg1HB18Xz1MM7mslrxmsqFs/DZCTo
I1/nvlwuPj8IyjqglXfO/hrgJfO1nYHw5snzelZfwAStDEDh1l13Yn7CX7ls995c
jVGbsWY6bfYisl8EjmFFIKrz8YFqBoXGdfkFOaedaINEq+Kh1neRv0lWXivU2PgQ
t8LZ5amSn0qwC2s/jy8rsMPvA/a5z9meAJXPNKJZEsU6xTJWyxiOApmUUZhnTDSR
xMmh6gJNdTX9i+50WN5hv28cEIkigNQ1mLhLPHDDpueGB4KV0/sev2urC4+TxF5V
y9tA5OE5G5tjv2gZ0Kn5maagwWoCUMs96S0h2LRmg/Vr+793upZO60t+RIcvbHAh
O2NVC1hjfCy5/0VW5ryySyiFJe5hb50O8/vrLkQdmOK26HKRabVIHvi/LtfDFMmq
HBNSCN2NzozCbjC7Z4YJqt9JM+sSKfdfqgUHtNQV10NzyAAMqY+zL5Da2ztEBnOX
V09ASYcGHBsf2J9e1qFCOWDtcpg3sDoHJ8PFyiejRUcG17mBMciiL2TsLAQgeqOU
emGkI5GfMV6a7naR1I3j2DCuormEZOu6/QF8b8txi7anH07ZvrlBNxHicXVmvTtd
/MvekxQewOq5gFLrsvYWfJfA4R/FGdcQLfgFmnJWS/tB8HkC65AZsh4ViQI8BBgB
CgAmAhsMFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmagQiYFCRcTvfYACgkQZonm
Tj02ZLt61A//dhIMU1VyuoaIpWbYtKoM4j1iJGl76EynpemY9bvHrU/DkJYCOxwO
XRu2OlRwp5Kf5RNSS4g7Aloqhdk9MTPWgxxvXRYRF0gbTnYSjN4pi1abi3PqrMsB
B/2xHEbmZpDfUu2nvyzkULhmmxYktHCEqUA9Eh3OkWztWq4eH7TwHIxEcE+TnGwo
vP0pxyPhYZP2fA6prVnSwfd5HB9CuJc9bVPPbnvv1FUbxFbbxA3ysU92Y2YqxQxF
2u4+f3D1bKMEOTfNY04AflpEHdeO8wG/em/SgHUsv2V++4kOfa/xW2siM5CW7h2Y
WRbgmg9E7CrR80sCw0/J8O+hCdRKHGZmXT3G0tyvPJOMY0M5eCctzz2RlxPp3W4D
U3GgOjF0s52kE5O2Kv9J3Xse8erYm18DzNfb/H3ALwWBL3lCep8cjk+C8OkTp+ZZ
pxN6UnDHDXRuuFBvD9dZW5/JqHer50BOiFiOlC1W2KbkPGk/s3AU2YLXy7SS29ZD
rrgLpsMKYkOuu1eQQVvLwH8WnwwxFwsKXUmTpl97ScqkqGl7gRIZtQpV8hgG6Y1t
L7323BytkbKejrcBmMEYXSbNhjff8hLfPuBVOrOZ+OrOd3uLPgzZN+9o9R2rn4eW
Xt3r7xAbhQFB0YU+8kIO5M2cSv3QGfu8uzudVmaQedz7lc3wjSrRw9k=
=z6xV
-----END PGP PUBLIC KEY BLOCK-----

895
apparmor.spec Normal file
View File

@ -0,0 +1,895 @@
#
# spec file for package apparmor
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2011-2024 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?suse_version} >= 1550
%define sbindir %_sbindir
%define apparmor_bin_prefix /usr/lib/apparmor
%else
%define sbindir /sbin
%define apparmor_bin_prefix /lib/apparmor
%endif
%if 0%{?suse_version} <= 1500
# _pamdir isn't defined in 15.x
%define _pamdir /%{_lib}/security
%endif
# warning - confusing syntax ahead ;-)
# bcond_with means "disable"
# bcond_without means "enable"
%bcond_with tomcat
%bcond_without pam
%bcond_without apache
%bcond_without perl
%bcond_without python3
%bcond_without ruby
%if 0%{?suse_version} <= 1550
# enable precompiled profile cache on <= 15.x
%bcond_without precompiled_cache
%else
# don't build precompiled profile cache on Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
%bcond_with precompiled_cache
%endif
%define CATALINA_HOME /usr/share/tomcat6
%define JAR_FILE changeHatValve.jar
%define tarversion v4.0.2
%define pyeggversion 4.0.2
Name: apparmor
Version: 4.0.2
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: https://gitlab.com/apparmor/apparmor/
Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz
# from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures
Source1: apparmor-%{tarversion}.tar.gz.asc
Source2: %{name}.keyring
Source6: baselibs.conf
Source7: apparmor-rpmlintrc
# enable caching of profiles (= massive performance speedup when loading profiles)
# and set cache-loc in parser.conf and apparmor.service accordingly
Patch1: apparmor-enable-profile-cache.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch4: apparmor-lessopen-profile.patch
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6: apache-extra-profile-include-if-exists.diff
# add path for precompiled cache (only done/applied if precompiled_cache is enabled)
Patch7: apparmor-enable-precompiled-cache.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: bison
BuildRequires: dejagnu
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: iproute2
BuildRequires: libtool
BuildRequires: pcre-devel
BuildRequires: pkg-config
BuildRequires: python3
BuildRequires: swig
BuildRequires: perl(Locale::gettext)
%if %{with python3}
BuildRequires: python-rpm-macros
BuildRequires: python3-devel
BuildRequires: python3-notify2
BuildRequires: python3-psutil
BuildRequires: python3-setuptools
%endif
%if %{with ruby}
BuildRequires: ruby-devel
%endif
%if %{with apache}
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
%endif
%if %{with tomcat}
BuildRequires: ant
BuildRequires: java-devel >= 1.6.0
BuildRequires: tomcat6
%endif
%package parser
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Conflicts: apparmor-utils < 3.0
Obsoletes: libimnxcert < 2.9
Obsoletes: subdomain-leaf-cert < 2.9
Obsoletes: subdomain-parser < 2.9
Obsoletes: subdomain-parser-common < 2.9
Obsoletes: subdomain-parser-demo < 2.9
Obsoletes: subdomain_parser < 2.9
Provides: libimnxcert = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: subdomain-parser = %{version}
Provides: subdomain-parser-common = %{version}
Provides: subdomain-parser-demo = %{version}
Provides: subdomain_parser = %{version}
Provides: apparmor-parser(CAP_SYSLOG)
BuildRequires: systemd-rpm-macros
%{?systemd_ordering}
%description parser
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%package docs
Summary: AppArmor Documentation package
License: GPL-2.0-or-later
Group: Documentation/Other
BuildArch: noarch
%description docs
This package contains documentation for AppArmor.
This package is part of a suite of tools that used to be named
SubDomain.
%if %{with apache}
%package -n apache2-mod_apparmor
Summary: AppArmor module for apache2
License: GPL-2.0-or-later
Group: Productivity/Security
%description -n apache2-mod_apparmor
apache2-modapparmor adds support to apache2 to provide AppArmor
confinement to individual cgi scripts handled by apache modules like
mod_php and mod_perl.
This package is part of a suite of tools that used to be named
SubDomain.
The documentation is in the apparmor-admin_en package.
%endif
%if %{with perl}
%package -n perl-apparmor
Summary: Perl interface for libapparmor functions
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Development/Libraries/Perl
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
Provides: perl-libapparmor = %{version}
Obsoletes: perl-libapparmor < 2.5
%description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor.
%endif
%if %{with python3}
%package -n python3-apparmor
Summary: Python 3 interface for libapparmor functions
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Development/Libraries/Python
Requires: libapparmor1 = %{version}
Requires: python3
Requires: python(abi) = %{py3_ver}
%description -n python3-apparmor
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.
%endif
%if %{with ruby}
%package -n ruby-apparmor
Summary: Ruby interface for libapparmor functions
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Development/Languages/Ruby
Requires: libapparmor1 = %{version}
Requires: ruby = %(rpm -q --qf '%%{version}' ruby)
Provides: ruby-libapparmor = %{version}
Obsoletes: ruby-libapparmor < 2.5
%description -n ruby-apparmor
This package provides the ruby interface to AppArmor. It is used for ruby
applications interfacing with AppArmor.
%endif
%package abstractions
Summary: AppArmor abstractions and directory structure
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
Requires: apparmor-parser(CAP_SYSLOG)
BuildArch: noarch
%description abstractions
AppArmor abstractions (common parts used in various profiles) and
the /etc/apparmor.d/ directory structure.
AppArmor is a file and network mandatory access control mechanism.
AppArmor confines processes to the resources allowed by the systems
administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
%package profiles
Summary: AppArmor profiles that are loaded into the apparmor kernel module
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
Requires: apparmor-abstractions >= %{version}
Requires: apparmor-parser(CAP_SYSLOG)
Obsoletes: subdomain-profiles < 2.9
Provides: subdomain-profiles = %{version}
BuildArch: noarch
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
mechanism. AppArmor confines processes to the resources allowed by the
systems administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
%package utils
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
Requires: apparmor-parser
Requires: libapparmor1 = %{version}
Requires: python3-apparmor = %{version}
Requires: python3-base
Requires: python3-notify2
Requires: python3-psutil
# aa-unconfined needs ss
Recommends: iproute2
BuildArch: noarch
%description utils
This package provides the aa-logprof, aa-genprof, aa-autodep,
aa-enforce, and aa-complain tools to assist with profile authoring.
Besides it provides the aa-unconfined server information tool.
It is part of a suite of tools that used to be named SubDomain.
%if %{with tomcat}
%package -n tomcat_apparmor
Summary: Tomcat 6 plugin for AppArmor change_hat
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: System/Libraries
Requires: libapparmor1 = %{version}
Requires: tomcat6
%description -n tomcat_apparmor
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
provides support for AppArmor change_hat for creating AppArmor
containers that are bound to discrete elements of processing within the
Tomcat servlet container. The AppArmor containers, or "hats", can be
created for individual URL processing or per servlet.
%endif
%if %{with pam}
%package -n pam_apparmor
Summary: PAM module for AppArmor change_hat
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
BuildRequires: pam-devel
PreReq: pam
PreReq: pam-config
Requires: pam
Requires: pam-config
%description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications
that call pam_open_session() to automatically perform an AppArmor
change_hat operation in order to switch to a user-specific security
policy.
%endif
%description
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%lang_package -n apparmor-utils
%lang_package -n apparmor-parser
%prep
%setup -q -n %{name}-%{tarversion}
# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
%patch -P 1
%patch -P 4
%patch -P 6
%if %{with precompiled_cache}
%patch -P 7
%endif
%build
export SUSE_ASNEEDED=0
# libapparmor:
(
cd ./libraries/libapparmor
sh ./autogen.sh && \
%configure \
%if %{with perl}
--with-perl \
%endif
%if %{with python3}
--with-python \
%else
--without-python \
%endif
%if %{with ruby}
--with-ruby \
%else
--without-ruby \
%endif
make
)
# Utilities:
make -C utils
# binutils
make -C binutils
# parser:
make -C parser V=1
# Apache mod_apparmor:
%if %{with apache}
make -C changehat/mod_apparmor
%endif
# PAM AppArmor:
%if %{with pam}
make -C changehat/pam_apparmor
%endif
# Profiles:
make -C profiles
%if %{with tomcat}
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
# pre-build profile cache
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
%if %{with precompiled_cache}
parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
%endif
# create filelist of previously (up to 3.1.x) shipped local/* files
# (adding them as %ghost prevents modified files from being moved to *.rpmsave)
for oldlocal in \
bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \
usr.bin.lessopen.sh usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.deliver usr.lib.dovecot.dict usr.lib.dovecot.director \
usr.lib.dovecot.doveadm-server usr.lib.dovecot.dovecot-auth usr.lib.dovecot.dovecot-lda usr.lib.dovecot.imap usr.lib.dovecot.imap-login usr.lib.dovecot.lmtp \
usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.managesieve-login usr.lib.dovecot.pop3 usr.lib.dovecot.pop3-login usr.lib.dovecot.replicator \
usr.lib.dovecot.script-login usr.lib.dovecot.ssl-params usr.lib.dovecot.stats usr.sbin.apache2 usr.sbin.avahi-daemon usr.sbin.dnsmasq usr.sbin.dovecot \
usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \
usr.sbin.winbindd zgrep
do
echo "%ghost %config %attr(0644,root,root) /etc/apparmor.d/local/$oldlocal"
done > oldlocal.files
%check
make check -C libraries/libapparmor
make check -C parser
make check -C binutils
# some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current)
if grep -q apparmor /sys/kernel/security/lsm; then
# profiles make check fails for the utils (they expect
# /sbin/apparmor_parser to exist), therefore only do parser-based check
make -C profiles check-parser
%if %{with precompiled_cache}
# test for a few files that should exist in the cache
test -f profiles/cache/*/bin.ping
test -f profiles/cache/*/.features
%endif
# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
make check -o check_lint -C utils
else
# clear grep status to avoid flagging check failure
true
fi
%install
# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
%makeinstall -C libraries/libapparmor/swig
# utilities
%makeinstall -C utils
test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
# binutils
%makeinstall -C binutils
( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )
%makeinstall -C profiles
%if %{with precompiled_cache}
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
echo -e "\n\n *** WARNING: precompiling cache is known to fail under 'osc build' - use 'osc build --vm-type kvm' instead or skip building the precompiled cache with 'osc build --without precompiled_cache' ***\n\n"
# ensure cache files are newer than (text) profiles by sleeping a few seconds, and using cp -r which updates the timestamps
sleep 2
cp -r profiles/cache/* %{buildroot}/usr/share/apparmor/cache
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
%endif
%makeinstall SBINDIR="%{buildroot}%{sbindir}" APPARMOR_BIN_PREFIX="%{buildroot}%{apparmor_bin_prefix}" -C parser
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
%endif
%if %{with pam}
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_pamdir}
%endif
%if %{with tomcat}
mkdir -p %{buildroot}/%{CATALINA_HOME}
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
%endif
find %{buildroot} -name .packlist -exec rm -vf {} \;
find %{buildroot} -name perllocal.pod -exec rm -vf {} \;
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
d=$(dirname $file)
f=$(basename $file)
case "${f#aa-}" in
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
if [ "${f#aa-}" != "$f" ]; then
ln -s $f $d/${f#aa-}
fi
;;
esac
done
mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot}%{_mandir}/man8/decode.8
for pkg in apparmor-utils apparmor-parser aa-binutils; do
%find_lang $pkg
done
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
# bsc#1212476
%python3_fix_shebang
%files docs
%defattr(-,root,root)
%doc parser/*.[1-9].html
%doc utils/vim/apparmor.vim.5.html
%doc common/apparmor.css
#doc parser/techdoc.pdf
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/apparmor.vim
%files parser
%defattr(-,root,root)
%license parser/COPYING.GPL
%doc parser/README
%{sbindir}/apparmor_parser
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%{_bindir}/aa-features-abi
%{_sbindir}/aa-load
%{_sbindir}/aa-status
%{_sbindir}/apparmor_status
%{_sbindir}/status
%{_sbindir}/aa-teardown
%{_sbindir}/exec
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache.d
%{sbindir}/rcapparmor
%{_unitdir}/apparmor.service
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/cache/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd
%{apparmor_bin_prefix}/profile-load
%doc %{_mandir}/man1/aa-enabled.1.gz
%doc %{_mandir}/man1/aa-exec.1.gz
%doc %{_mandir}/man1/aa-features-abi.1.gz
%doc %{_mandir}/man1/exec.1.gz
%doc %{_mandir}/man5/apparmor.d.5.gz
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man7/apparmor_xattrs.7.gz
%doc %{_mandir}/man8/aa-status.8.gz
%doc %{_mandir}/man8/aa-teardown.8.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%doc %{_mandir}/man8/apparmor_status.8.gz
%pre parser
%service_add_pre apparmor.service
%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
%defattr(-,root,root)
%files abstractions
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor.d/abi
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/4.0
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla
%dir %{_sysconfdir}/apparmor.d/abstractions
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/*
%dir %{_sysconfdir}/apparmor.d/disable
%dir %{_sysconfdir}/apparmor.d/local
%dir %{_sysconfdir}/apparmor.d/tunables
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
%files profiles -f oldlocal.files
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/apache2.d
%config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%config(noreplace) %{_sysconfdir}/apparmor.d/1password
%config(noreplace) %{_sysconfdir}/apparmor.d/Discord
%config(noreplace) %{_sysconfdir}/apparmor.d/MongoDB_Compass
%config(noreplace) %{_sysconfdir}/apparmor.d/QtWebEngineProcess
%config(noreplace) %{_sysconfdir}/apparmor.d/balena-etcher
%config(noreplace) %{_sysconfdir}/apparmor.d/brave
%config(noreplace) %{_sysconfdir}/apparmor.d/buildah
%config(noreplace) %{_sysconfdir}/apparmor.d/busybox
%config(noreplace) %{_sysconfdir}/apparmor.d/cam
%config(noreplace) %{_sysconfdir}/apparmor.d/ch-checkns
%config(noreplace) %{_sysconfdir}/apparmor.d/ch-run
%config(noreplace) %{_sysconfdir}/apparmor.d/chrome
%config(noreplace) %{_sysconfdir}/apparmor.d/chromium
%config(noreplace) %{_sysconfdir}/apparmor.d/code
# exclude crun, podman and runc profiles until the updated container engines (including updated profile with "signal peer=runc") has arrived
#config(noreplace) %{_sysconfdir}/apparmor.d/crun
%exclude %{_sysconfdir}/apparmor.d/crun
%exclude %{_sysconfdir}/apparmor.d/podman
%exclude %{_sysconfdir}/apparmor.d/runc
%config(noreplace) %{_sysconfdir}/apparmor.d/devhelp
%config(noreplace) %{_sysconfdir}/apparmor.d/element-desktop
%config(noreplace) %{_sysconfdir}/apparmor.d/epiphany
%config(noreplace) %{_sysconfdir}/apparmor.d/evolution
%config(noreplace) %{_sysconfdir}/apparmor.d/firefox
%config(noreplace) %{_sysconfdir}/apparmor.d/flatpak
%config(noreplace) %{_sysconfdir}/apparmor.d/foliate
%config(noreplace) %{_sysconfdir}/apparmor.d/geary
%config(noreplace) %{_sysconfdir}/apparmor.d/github-desktop
%config(noreplace) %{_sysconfdir}/apparmor.d/goldendict
%config(noreplace) %{_sysconfdir}/apparmor.d/ipa_verify
%config(noreplace) %{_sysconfdir}/apparmor.d/kchmviewer
%config(noreplace) %{_sysconfdir}/apparmor.d/keybase
%config(noreplace) %{_sysconfdir}/apparmor.d/lc-compliance
%config(noreplace) %{_sysconfdir}/apparmor.d/libcamerify
%config(noreplace) %{_sysconfdir}/apparmor.d/linux-sandbox
%config(noreplace) %{_sysconfdir}/apparmor.d/loupe
%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-attach
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-create
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-destroy
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-execute
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-stop
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-unshare
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-usernsexec
%config(noreplace) %{_sysconfdir}/apparmor.d/mmdebstrap
%config(noreplace) %{_sysconfdir}/apparmor.d/msedge
%config(noreplace) %{_sysconfdir}/apparmor.d/nautilus
%config(noreplace) %{_sysconfdir}/apparmor.d/notepadqq
%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
%config(noreplace) %{_sysconfdir}/apparmor.d/obsidian
%config(noreplace) %{_sysconfdir}/apparmor.d/opam
%config(noreplace) %{_sysconfdir}/apparmor.d/opera
%config(noreplace) %{_sysconfdir}/apparmor.d/pageedit
%config(noreplace) %{_sysconfdir}/apparmor.d/plasmashell
%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
%config(noreplace) %{_sysconfdir}/apparmor.d/polypane
%config(noreplace) %{_sysconfdir}/apparmor.d/privacybrowser
%config(noreplace) %{_sysconfdir}/apparmor.d/qcam
%config(noreplace) %{_sysconfdir}/apparmor.d/qmapshack
%config(noreplace) %{_sysconfdir}/apparmor.d/qutebrowser
%config(noreplace) %{_sysconfdir}/apparmor.d/rootlesskit
%config(noreplace) %{_sysconfdir}/apparmor.d/rpm
%config(noreplace) %{_sysconfdir}/apparmor.d/rssguard
#config(noreplace) %{_sysconfdir}/apparmor.d/runc
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-abort
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-adduser
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-apt
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-checkpackages
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-clean
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-createchroot
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-destroychroot
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-distupgrade
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-hold
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-shell
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-unhold
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-update
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-upgrade
%config(noreplace) %{_sysconfdir}/apparmor.d/scide
%config(noreplace) %{_sysconfdir}/apparmor.d/signal-desktop
%config(noreplace) %{_sysconfdir}/apparmor.d/slack
%config(noreplace) %{_sysconfdir}/apparmor.d/slirp4netns
%config(noreplace) %{_sysconfdir}/apparmor.d/steam
%config(noreplace) %{_sysconfdir}/apparmor.d/stress-ng
%config(noreplace) %{_sysconfdir}/apparmor.d/surfshark
%config(noreplace) %{_sysconfdir}/apparmor.d/systemd-coredump
%config(noreplace) %{_sysconfdir}/apparmor.d/thunderbird
%config(noreplace) %{_sysconfdir}/apparmor.d/toybox
%config(noreplace) %{_sysconfdir}/apparmor.d/transmission
%config(noreplace) %{_sysconfdir}/apparmor.d/trinity
%config(noreplace) %{_sysconfdir}/apparmor.d/tup
%config(noreplace) %{_sysconfdir}/apparmor.d/tuxedo-control-center
%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd
%config(noreplace) %{_sysconfdir}/apparmor.d/unprivileged_userns
%config(noreplace) %{_sysconfdir}/apparmor.d/userbindmount
%config(noreplace) %{_sysconfdir}/apparmor.d/uwsgi-core
%config(noreplace) %{_sysconfdir}/apparmor.d/vdens
%config(noreplace) %{_sysconfdir}/apparmor.d/virtiofsd
%config(noreplace) %{_sysconfdir}/apparmor.d/vivaldi-bin
%config(noreplace) %{_sysconfdir}/apparmor.d/vpnns
%config(noreplace) %{_sysconfdir}/apparmor.d/wike
%config(noreplace) %{_sysconfdir}/apparmor.d/wpcom
%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
%config(noreplace) %{_sysconfdir}/apparmor.d/local/README
%dir /usr/share/apparmor/
%if %{with precompiled_cache}
/usr/share/apparmor/cache/
%endif
/usr/share/apparmor/extra-profiles/
%files utils
%defattr(-,root,root)
%dir %{_sysconfdir}/apparmor
%config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
%{_sbindir}/aa-audit
%{_sbindir}/aa-autodep
%{_sbindir}/aa-cleanprof
%{_sbindir}/aa-complain
%{_sbindir}/aa-decode
%{_sbindir}/aa-disable
%{_sbindir}/aa-enforce
%{_sbindir}/aa-genprof
%{_sbindir}/aa-logprof
%{_sbindir}/aa-mergeprof
%{_sbindir}/aa-notify
%{_sbindir}/aa-remove-unknown
%{_sbindir}/aa-unconfined
%{_sbindir}/audit
%{_sbindir}/autodep
%{_sbindir}/complain
%{_sbindir}/decode
%{_sbindir}/disable
%{_sbindir}/enforce
%{_sbindir}/genprof
%{_sbindir}/logprof
%{_sbindir}/notify
%{_sbindir}/unconfined
%{_bindir}/aa-easyprof
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/easyprof/
%dir %{_localstatedir}/log/apparmor
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-audit.8.gz
%doc %{_mandir}/man8/aa-autodep.8.gz
%doc %{_mandir}/man8/aa-cleanprof.8.gz
%doc %{_mandir}/man8/aa-complain.8.gz
%doc %{_mandir}/man8/aa-decode.8.gz
%doc %{_mandir}/man8/aa-disable.8.gz
%doc %{_mandir}/man8/aa-easyprof.8.gz
%doc %{_mandir}/man8/aa-enforce.8.gz
%doc %{_mandir}/man8/aa-genprof.8.gz
%doc %{_mandir}/man8/aa-logprof.8.gz
%doc %{_mandir}/man8/aa-mergeprof.8.gz
%doc %{_mandir}/man8/aa-notify.8.gz
%doc %{_mandir}/man8/aa-remove-unknown.8.gz
%doc %{_mandir}/man8/aa-unconfined.8.gz
%doc %{_mandir}/man8/audit.8.gz
%doc %{_mandir}/man8/autodep.8.gz
%doc %{_mandir}/man8/complain.8.gz
%doc %{_mandir}/man8/disable.8.gz
%doc %{_mandir}/man8/easyprof.8.gz
%doc %{_mandir}/man8/enforce.8.gz
%doc %{_mandir}/man8/genprof.8.gz
%doc %{_mandir}/man8/logprof.8.gz
%doc %{_mandir}/man8/unconfined.8.gz
%doc utils/*.[0-9].html
%doc common/apparmor.css
%files utils-lang -f apparmor-utils.lang
%if %{with perl}
%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorarch}/auto/LibAppArmor/
%{perl_vendorarch}/LibAppArmor.pm
%endif
%if %{with python3}
%files -n python3-apparmor
%defattr(-,root,root)
%{python3_sitearch}/LibAppArmor-%{pyeggversion}-py*.egg-info
%dir %{python3_sitearch}/LibAppArmor
%dir %{python3_sitearch}/LibAppArmor/__pycache__
%{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so
%{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc
%{python3_sitearch}/LibAppArmor/__pycache__/LibAppArmor.cpython-*.pyc
%{python3_sitearch}/LibAppArmor/__init__.py
%{python3_sitearch}/LibAppArmor/LibAppArmor.py
%{python3_sitelib}/apparmor/
%{python3_sitelib}/apparmor-%{pyeggversion}-py*.egg-info
%endif
%if %{with ruby}
%files -n ruby-apparmor
%defattr(-,root,root)
%{rb_sitearchdir}/LibAppArmor.so
%endif
%if %{with pam}
%files -n pam_apparmor
%defattr(444,root,root,755)
%attr(555,root,root) %{_pamdir}/pam_apparmor.so
%doc changehat/pam_apparmor/README
%endif
%if %{with tomcat}
%files -n tomcat_apparmor
%defattr(-,root,root)
%{CATALINA_HOME}/lib/%{JAR_FILE}
%{_libdir}/libJNI*
%doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor
%endif
%if %{with apache}
%files -n apache2-mod_apparmor
%defattr(-,root,root)
%{apache_libexecdir}/mod_apparmor.so
%doc %{_mandir}/man8/mod_apparmor.8.gz
%endif
%post parser
%service_add_post apparmor.service
%preun parser
%service_del_preun apparmor.service
%postun parser
# bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing),
# which means that 'systemctl restart apparmor' is safe now
%service_del_postun apparmor.service
%posttrans abstractions
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%post profiles
# delete old cache (location up to 2.12)
rm -f /var/lib/apparmor/cache/* 2>/dev/null
# cleanup old, unchanged local/* files
for oldlocal in \
bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \
usr.bin.lessopen.sh usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.deliver usr.lib.dovecot.dict usr.lib.dovecot.director \
usr.lib.dovecot.doveadm-server usr.lib.dovecot.dovecot-auth usr.lib.dovecot.dovecot-lda usr.lib.dovecot.imap usr.lib.dovecot.imap-login usr.lib.dovecot.lmtp \
usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.managesieve-login usr.lib.dovecot.pop3 usr.lib.dovecot.pop3-login usr.lib.dovecot.replicator \
usr.lib.dovecot.script-login usr.lib.dovecot.ssl-params usr.lib.dovecot.stats usr.sbin.apache2 usr.sbin.avahi-daemon usr.sbin.dnsmasq usr.sbin.dovecot \
usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \
usr.sbin.winbindd zgrep
do
if [ -f "/etc/apparmor.d/local/$oldlocal" ] && [ "$(cat /etc/apparmor.d/local/$oldlocal)" = "# Site-specific additions and overrides for '$oldlocal'" ] ; then
rm "/etc/apparmor.d/local/$oldlocal" || :
fi
done
%posttrans profiles
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%if %{with tomcat}
%post -n tomcat_apparmor -p /sbin/ldconfig
%postun -n tomcat_apparmor -p /sbin/ldconfig
%endif
%if %{with pam}
%post -n pam_apparmor
if [ $1 -eq 1 ]; then
pam-config --add --apparmor || :
fi
%postun -n pam_apparmor
if [ $1 -eq 0 ]; then
pam-config --delete --apparmor || :
fi
%endif
%changelog

5
baselibs.conf Normal file
View File

@ -0,0 +1,5 @@
pam_apparmor
supplements "packageand(pam_apparmor:pam-<targettype>)"
libapparmor1
obsoletes "libapparmor-<targettype> <= <version>"
provides "libapparmor-<targettype> = <version>"

128
libapparmor.spec Normal file
View File

@ -0,0 +1,128 @@
#
# spec file for package libapparmor
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2011-2024 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define tarversion v4.0.2
Name: libapparmor
Version: 4.0.2
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
URL: https://gitlab.com/apparmor/apparmor/
Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz
# from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures
Source1: apparmor-%{tarversion}.tar.gz.asc
Source2: apparmor.keyring
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: bison
BuildRequires: dejagnu
BuildRequires: flex
BuildRequires: libtool
BuildRequires: pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor1
Summary: Utility library for AppArmor
Group: System/Libraries
%ifarch ppc64
Obsoletes: libapparmor-64bit < 2.9
Provides: libapparmor-64bit = %{version}
%endif
Provides: libapparmor = %{version}
Obsoletes: libapparmor < 2.9
%description -n libapparmor1
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor-devel
Summary: Development headers and libraries for libapparmor
Group: Development/Libraries/C and C++
Requires: libapparmor1 = %{version}
Provides: libapparmor:/usr/include/sys/apparmor.h
%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.
%prep
%setup -q -n apparmor-%{tarversion}
%build
(
cd ./libraries/libapparmor
sh ./autogen.sh &&
%configure \
--without-perl \
--without-python \
--without-ruby \
make
)
%check
make check -C libraries/libapparmor
%install
%makeinstall -C libraries/libapparmor
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
# remove *.la and *.a files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
rm -fv %{buildroot}%{_libdir}/libapparmor.a
%post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig
%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.so.*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.so
%{_libdir}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/aa_change_profile.2.gz
%doc %{_mandir}/man2/aa_stack_profile.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz
%doc %{_mandir}/man2/aa_query_label.2.gz
%doc %{_mandir}/man3/aa_features.3.gz
%doc %{_mandir}/man3/aa_kernel_interface.3.gz
%doc %{_mandir}/man3/aa_policy_cache.3.gz
%doc %{_mandir}/man3/aa_splitcon.3.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/sys/apparmor_private.h
%{_includedir}/aalogparse/*
%changelog

166
logprof-mount-empty-source.diff Normal file
View File

@ -0,0 +1,166 @@
From aada708bc1c1787d190529aeafce66e3ce52fb7e Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 9 Jun 2024 21:51:01 +0200
Subject: [PATCH 1/2] MountRule: add support for quoted paths
While on it, make the output for failing tests more verbose for easier
debugging.
(cherry picked from commit 900f233101553182cffb29aab53e014d25138489,
test-mount.py adjusted for 4.0 branch)
---
utils/apparmor/rule/mount.py | 6 +++---
utils/test/test-mount.py | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py
index b2d73a27b..992c29142 100644
--- a/utils/apparmor/rule/mount.py
+++ b/utils/apparmor/rule/mount.py
@@ -15,7 +15,7 @@ import re
from apparmor.common import AppArmorBug, AppArmorException
-from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis
+from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis, strip_quotes
from apparmor.rule import AARE
from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, logprof_value_or_all, check_and_split_list
@@ -171,12 +171,12 @@ class MountRule(BaseRule):
options = cls.ALL
if operation == 'mount' and r['source_file'] is not None: # Umount cannot have a source
- source = r['source_file']
+ source = strip_quotes(r['source_file'])
else:
source = cls.ALL
if r['dest_file'] is not None:
- dest = r['dest_file']
+ dest = strip_quotes(r['dest_file'])
else:
dest = cls.ALL
diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py
index cb1a89630..6dfe1ac85 100644
--- a/utils/test/test-mount.py
+++ b/utils/test/test-mount.py
@@ -42,7 +42,9 @@ class MountTestParse(AATest):
('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )),
('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )),
+ ('mount "/a space",', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a space', MountRule.ALL, False, False, False, '')),
('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )),
+ ('mount fstype=(ext3, ext4) /a -> "/bar space",', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/bar space', False, False, False, '')),
('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, '' )),
('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')),
('mount fstype=({ext3,ext4}) options in (ro, sync) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'sync')), '/a', '/b', False, False, False, '' )),
@@ -66,7 +68,7 @@ class MountTestParse(AATest):
self.assertTrue(MountRule.match(rawrule))
obj = MountRule.create_instance(rawrule)
expected.raw_rule = rawrule.strip()
- self.assertTrue(obj.is_equal(expected, True))
+ self.assertTrue(obj.is_equal(expected, True), f'\n {rawrule} expected,\n {obj.get_clean()} returned by obj.get_clean()\n {expected.get_clean()} returned by expected.get_clean()')
def test_valid_mount_changing_propagation(self):
# Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both.
--
GitLab
From 98a0a2fee92b86155de258711c554f068ead8f6c Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 9 Jun 2024 23:03:13 +0200
Subject: [PATCH 2/2] MountRule: Add support for empty ("") source
This needs adding of an empty_ok flag in _aare_or_all().
Also add a few tests from boo#1226031 to utils and parser tests.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1226031
(cherry picked from commit 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb,
test-mount.py changes adjusted for 4.0 branch)
---
parser/tst/simple_tests/mount/ok_quoted_1.sd | 9 +++++++++
utils/apparmor/rule/__init__.py | 4 ++--
utils/apparmor/rule/mount.py | 4 ++--
utils/test/test-mount.py | 2 ++
4 files changed, 15 insertions(+), 4 deletions(-)
create mode 100644 parser/tst/simple_tests/mount/ok_quoted_1.sd
diff --git a/parser/tst/simple_tests/mount/ok_quoted_1.sd b/parser/tst/simple_tests/mount/ok_quoted_1.sd
new file mode 100644
index 000000000..c819caea3
--- /dev/null
+++ b/parser/tst/simple_tests/mount/ok_quoted_1.sd
@@ -0,0 +1,9 @@
+#
+#=Description basic mount rules with quoted paths
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ mount "" -> "/",
+ mount "" -> "/tmp/",
+ umount "/",
+}
diff --git a/utils/apparmor/rule/__init__.py b/utils/apparmor/rule/__init__.py
index ede7909ca..11e2f1f17 100644
--- a/utils/apparmor/rule/__init__.py
+++ b/utils/apparmor/rule/__init__.py
@@ -51,7 +51,7 @@ class BaseRule(metaclass=ABCMeta):
# Set only in the parse() class method
self.raw_rule = None
- def _aare_or_all(self, rulepart, partname, is_path, log_event):
+ def _aare_or_all(self, rulepart, partname, is_path, log_event, empty_ok=False):
"""checks rulepart and returns
- (AARE, False) if rulepart is a (non-empty) string
- (None, True) if rulepart is all_obj (typically *Rule.ALL)
@@ -67,7 +67,7 @@ class BaseRule(metaclass=ABCMeta):
if rulepart == self.ALL:
return None, True
elif isinstance(rulepart, str):
- if not rulepart.strip():
+ if not rulepart.strip() and not empty_ok:
raise AppArmorBug(
'Passed empty %(partname)s to %(classname)s: %(rulepart)s'
% {'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart)})
diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py
index 992c29142..d20522971 100644
--- a/utils/apparmor/rule/mount.py
+++ b/utils/apparmor/rule/mount.py
@@ -66,7 +66,7 @@ mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?'
# - A path : /foo
# - A globbed Path : **
-glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*")|\w+))'
+glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*"|"")|\w+))'
source_fileglob_pattern = glob_pattern % 'source_file'
dest_fileglob_pattern = glob_pattern % 'dest_file'
@@ -114,7 +114,7 @@ class MountRule(BaseRule):
raise AppArmorException(_('Passed unknown options keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items)))
self.is_options_equal = options[0] if not self.all_options else None
- self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event)
+ self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event, empty_ok=True)
self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event)
if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'):
diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py
index 6dfe1ac85..7af46a5d8 100644
--- a/utils/test/test-mount.py
+++ b/utils/test/test-mount.py
@@ -55,6 +55,8 @@ class MountTestParse(AATest):
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/',
'/tmp/snap.rootfs_*{,/usr}/lib/modules/',
False, False, False, '' )),
+ ('mount options=(runbindable, rw) -> /,', MountRule('mount', MountRule.ALL, ('=', ['runbindable', 'rw']), MountRule.ALL, '/', False, False, False, '')),
+ ('mount "" -> /,', MountRule('mount', MountRule.ALL, MountRule.ALL, '', '/', False, False, False, '')),
('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )),
--
GitLab

31
plasmashell.diff Normal file
View File

@ -0,0 +1,31 @@
commit 64469afa2c65eb8a90a19d2b658a9559fb3964b0
Author: Christian Boltz <apparmor@cboltz.de>
Date: Tue Jun 4 21:14:50 2024 +0200
Add openSUSE path to plasmashell profile
While on it,
- add some comments explaining what the profile does
- adjust the rule with the Debian/Ubuntu path to work with Qt6
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961
diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell
index d743ff7a3..51c50a689 100644
--- a/profiles/apparmor.d/plasmashell
+++ b/profiles/apparmor.d/plasmashell
@@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell {
unix,
ptrace,
- /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+ # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
+ /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+ /usr/libexec/qt[56]/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+
+ # allow to execute all other programs under their own profile, or to run unconfined
/** pux,
+
/{,**} mrwlk,
profile QtWebEngineProcess {

48
sampa-rpcd-witness.diff Normal file
View File

@ -0,0 +1,48 @@
From https://gitlab.com/apparmor/apparmor/-/merge_requests/1256
(adjusted to currently packaged samba-rpcd profile)
From 94ccd111deac35d7deadb07e66d25e045633e221 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sat, 8 Jun 2024 22:46:53 +0200
Subject: [PATCH] samba-dcerpcd: allow to execute rpcd_witness
... and extend the samba-rpcd profile to also include rpcd_witness.
Patch by Noel Power <nopower@suse.com>
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225811
---
profiles/apparmor.d/samba-dcerpcd | 2 +-
profiles/apparmor.d/samba-rpcd | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
Index: apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd
===================================================================
--- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-dcerpcd 2024-04-12 05:59:30.000000000 +0200
+++ apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd 2024-06-25 21:49:49.017901846 +0200
@@ -21,7 +21,7 @@ profile samba-dcerpcd /usr/lib*/samba/{,
/usr/lib*/samba/{,samba/}samba-dcerpcd mr,
/usr/lib*/samba/ r,
- /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd,
/usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
/usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
Index: apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd
===================================================================
--- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-rpcd 2024-04-12 05:59:30.000000000 +0200
+++ apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd 2024-06-25 21:49:49.017901846 +0200
@@ -13,9 +13,9 @@ abi <abi/4.0>,
include <tunables/global>
-profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} {
include <abstractions/samba-rpcd>
- /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr,
@{run}/samba/ncalrpc/np/winreg wr,

22
sddm-xauth.diff Normal file
View File

@ -0,0 +1,22 @@
commit 0c6e031c02fb18affd3bb7f15e269d9dd5c3317a
Author: Christian Boltz <apparmor@cboltz.de>
Date: Tue Jun 4 21:45:06 2024 +0200
abstractions/X: add another xauth path
This time it's /tmp/xauth_?????? r, which gets used by latest sddm.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900
diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
index 6f0272d64..6df891185 100644
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@@ -28,6 +28,7 @@
owner @{run}/user/*/gdm/Xauthority r,
owner @{run}/user/*/X11/Xauthority r,
owner @{run}/user/*/xauth_* r,
+ owner /tmp/xauth_?????? r,
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,

21
teardown-unconfined.diff Normal file
View File

@ -0,0 +1,21 @@
commit f497afbe1364b45540a6582870e5a76f1ada7a2b
Author: Christian Boltz <apparmor@cboltz.de>
Date: Tue May 28 21:13:47 2024 +0200
Fix aa-teardown for `unconfined` profiles
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225457
diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions
index f66fea422..099ab67d3 100644
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -253,7 +253,7 @@ remove_profiles() {
retval=0
# We filter child profiles as removing the parent will remove
# the children
- sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
+ sed -e "s/ (\(enforce\|complain\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \
LC_COLLATE=C sort | grep -v // | {
while read -r profile ; do
printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"

30
test-aa-notify.diff Normal file
View File

@ -0,0 +1,30 @@
https://gitlab.com/apparmor/apparmor/-/merge_requests/1226
From 715cb711ba26d3ccff490f35f80721cf3678abb6 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 5 May 2024 22:05:43 +0200
Subject: [PATCH] Don't rely on argparse saying "options:"
Some argparse versions (for example on openSUSE Leap 15.5) instead say
"optional arguments:"
Don't rely on the "options:" line to allow both wordings.
---
utils/test/test-aa-notify.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py
index 4f3e540e9..abffd0631 100644
--- a/utils/test/test-aa-notify.py
+++ b/utils/test/test-aa-notify.py
@@ -194,7 +194,6 @@ Display AppArmor notifications or messages for DENIED entries.
expected_output_2 = \
'''
-options:
-h, --help show this help message and exit
-p, --poll poll AppArmor logs and display notifications
--display DISPLAY set the DISPLAY environment variable (might be needed if
--
GitLab

39
tools-fix-redefinition.diff Normal file
View File

@ -0,0 +1,39 @@
From 553acd22324ed013d9f468aa8585518cf68b34f7 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 21 Apr 2024 17:32:24 +0200
Subject: [PATCH] Fix redefinition of _
... which unsurprisingly broke using the translations.
This was a regression introduced in 4f51c93f9dc2516a32bfccc79b4dcf4985e61f47
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387
---
utils/apparmor/tools.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py
index e8a99bbe6..f7d4a0d36 100644
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -90,7 +90,7 @@ class aa_tools:
def get_next_for_modechange(self):
"""common code for mode/flags changes"""
- for (program, _, prof_filename) in self.get_next_to_profile():
+ for (program, ignored, prof_filename) in self.get_next_to_profile():
output_name = prof_filename if program is None else program
if not os.path.isfile(prof_filename) or is_skippable_file(prof_filename):
@@ -162,7 +162,7 @@ class aa_tools:
def cmd_autodep(self):
apparmor.loadincludes()
- for (program, _, prof_filename) in self.get_next_to_profile():
+ for (program, ignored, prof_filename) in self.get_next_to_profile():
if not program:
aaui.UI_Info(_('Please pass an application to generate a profile for, not a profile itself - skipping %s.') % prof_filename)
continue
--
GitLab

182
utils-relax-mount-rules-2.diff Normal file
View File

@ -0,0 +1,182 @@
commit 1f4bba0448563b7d1fe4d86c230556ebf8d3805b
Author: Maxime Bélair <maxime.belair@canonical.com>
Date: Mon May 20 11:09:04 2024 +0200
Cherry-pick: MountRule: Aligning behavior with apparmor_parser
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
(cherry picked from commit 60acc4a4053ddb3718b9a2f5ceb1ef02fea3a226)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py
index abfa2b75e..b2d73a27b 100644
--- a/utils/apparmor/rule/mount.py
+++ b/utils/apparmor/rule/mount.py
@@ -25,15 +25,18 @@ _ = init_translation()
# TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules.
-flags_keywords = [
- # keep in sync with parser/mount.cc mnt_opts_table!
- 'ro', 'r', 'read-only', 'rw', 'w', 'suid', 'nosuid', 'dev', 'nodev', 'exec', 'noexec', 'sync', 'async', 'remount',
- 'mand', 'nomand', 'dirsync', 'symfollow', 'nosymfollow', 'atime', 'noatime', 'diratime', 'nodiratime', 'bind', 'B',
- 'move', 'M', 'rbind', 'R', 'verbose', 'silent', 'loud', 'acl', 'noacl', 'unbindable', 'make-unbindable', 'runbindable',
- 'make-runbindable', 'private', 'make-private', 'rprivate', 'make-rprivate', 'slave', 'make-slave', 'rslave', 'make-rslave',
- 'shared', 'make-shared', 'rshared', 'make-rshared', 'relatime', 'norelatime', 'iversion', 'noiversion', 'strictatime',
- 'nostrictatime', 'lazytime', 'nolazytime', 'user', 'nouser',
- '([A-Za-z0-9])',
+flags_bind_mount = {'B', 'bind', 'R', 'rbind'}
+flags_change_propagation = {
+ 'remount', 'unbindable', 'shared', 'private', 'slave', 'runbindable', 'rshared', 'rprivate', 'rslave',
+ 'make-unbindable', 'make-shared', 'make-private', 'make-slave', 'make-runbindable', 'make-rshared', 'make-rprivate',
+ 'make-rslave'
+}
+# keep in sync with parser/mount.cc mnt_opts_table!
+flags_keywords = list(flags_bind_mount) + list(flags_change_propagation) + [
+ 'ro', 'r', 'read-only', 'rw', 'w', 'suid', 'nosuid', 'dev', 'nodev', 'exec', 'noexec', 'sync', 'async', 'mand',
+ 'nomand', 'dirsync', 'symfollow', 'nosymfollow', 'atime', 'noatime', 'diratime', 'nodiratime', 'move', 'M',
+ 'verbose', 'silent', 'loud', 'acl', 'noacl', 'relatime', 'norelatime', 'iversion', 'noiversion', 'strictatime',
+ 'nostrictatime', 'lazytime', 'nolazytime', 'user', 'nouser', '([A-Za-z0-9])',
]
join_valid_flags = '|'.join(flags_keywords)
@@ -112,6 +115,7 @@ class MountRule(BaseRule):
self.is_options_equal = options[0] if not self.all_options else None
self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event)
+ self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event)
if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'):
raise AppArmorBug(f'Invalid is_fstype_equal : {self.is_fstype_equal}')
@@ -120,11 +124,14 @@ class MountRule(BaseRule):
if self.operation != 'mount' and not self.all_source:
raise AppArmorException(f'Operation {self.operation} cannot have a source')
- flags_forbidden_with_source = {'remount', 'unbindable', 'shared', 'private', 'slave', 'runbindable', 'rshared', 'rprivate', 'rslave'}
- if self.operation == 'mount' and not self.all_source and not self.all_options and flags_forbidden_with_source & self.options != set():
- raise AppArmorException(f'Operation {flags_forbidden_with_source & self.options} cannot have a source. Source = {self.source}')
+ if self.operation == 'mount' and not self.all_options and flags_change_propagation & self.options != set():
+ if not (self.all_source or self.all_dest):
+ raise AppArmorException(f'Operation {flags_change_propagation & self.options} cannot specify a source. Source = {self.source}')
+ elif not self.all_fstype:
+ raise AppArmorException(f'Operation {flags_change_propagation & self.options} cannot specify a fstype. Fstype = {self.fstype}')
- self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event)
+ if self.operation == 'mount' and not self.all_options and flags_bind_mount & self.options != set() and not self.all_fstype:
+ raise AppArmorException(f'Bind mount rules cannot specify a fstype. Fstype = {self.fstype}')
self.can_glob = not self.all_source and not self.all_dest and not self.all_options
diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py
index 7f88ff7db..cb1a89630 100644
--- a/utils/test/test-mount.py
+++ b/utils/test/test-mount.py
@@ -43,12 +43,12 @@ class MountTestParse(AATest):
('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )),
('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )),
- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
- ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
+ ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, '' )),
+ ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')),
+ ('mount fstype=({ext3,ext4}) options in (ro, sync) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'sync')), '/a', '/b', False, False, False, '' )),
+ ('mount fstype in (ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')),
+ ('mount fstype in (ext3, ext4) option in (ro, sync) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'sync')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
+ ('mount fstype=(ext3, ext4) option=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')),
('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,',
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/',
'/tmp/snap.rootfs_*{,/usr}/lib/modules/',
@@ -68,6 +68,17 @@ class MountTestParse(AATest):
expected.raw_rule = rawrule.strip()
self.assertTrue(obj.is_equal(expected, True))
+ def test_valid_mount_changing_propagation(self):
+ # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both.
+ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), '/foo', MountRule.ALL)
+ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), MountRule.ALL, '/foo')
+
+ def test_valid_bind_mount(self):
+ # Fstype must remain empty in bind rules
+ MountRule('mount', MountRule.ALL, ('=', ('bind')), '/foo', MountRule.ALL)
+ MountRule('mount', MountRule.ALL, ('=', ('bind')), MountRule.ALL, '/bar')
+ MountRule('mount', MountRule.ALL, ('=', ('bind')), '/foo', '/bar')
+
class MountTestParseInvalid(AATest):
tests = (
@@ -143,6 +154,20 @@ class MountTestParseInvalid(AATest):
with self.assertRaises(AppArmorException):
MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL)
+ def test_invalid_mount_changing_propagation(self):
+ # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both.
+ with self.assertRaises(AppArmorException):
+ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), '/foo', '/bar')
+
+ # Rules changing propagation type cannot specify a fstype.
+ with self.assertRaises(AppArmorException):
+ MountRule('mount', ('=', ('ext4')), ('=', ('runbindable')), MountRule.ALL, '/foo')
+
+ def test_invalid_bind_mount(self):
+ # Bind mount rules cannot specify a fstype.
+ with self.assertRaises(AppArmorException):
+ MountRule('mount', ('=', ('ext4')), ('=', ('bind')), MountRule.ALL, '/foo')
+
class MountTestGlob(AATest):
def test_glob(self):
diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py
index 451af7d22..60a738aed 100644
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@@ -85,16 +85,6 @@ exception_not_raised = (
'mount/bad_1.sd',
'mount/bad_2.sd',
- # not checked/detected: "make-*" mount opt and an invalid src
- 'mount/bad_opt_17.sd',
- 'mount/bad_opt_18.sd',
- 'mount/bad_opt_19.sd',
- 'mount/bad_opt_20.sd',
- 'mount/bad_opt_21.sd',
- 'mount/bad_opt_22.sd',
- 'mount/bad_opt_23.sd',
- 'mount/bad_opt_24.sd',
-
'profile/flags/flags_bad10.sd',
'profile/flags/flags_bad11.sd',
'profile/flags/flags_bad12.sd',
@@ -324,19 +314,6 @@ unknown_line = (
'bare_include_tests/ok_85.sd',
'bare_include_tests/ok_86.sd',
- # Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source
- 'mount/ok_opt_68.sd',
- 'mount/ok_opt_69.sd',
- 'mount/ok_opt_70.sd',
- 'mount/ok_opt_71.sd',
- 'mount/ok_opt_72.sd',
- 'mount/ok_opt_73.sd',
- 'mount/ok_opt_74.sd',
- 'mount/ok_opt_75.sd',
-
- # options=slave with /** src (first rule in the test causes exception)
- 'mount/ok_opt_84.sd',
-
# According to spec mount should be in the form fstype=... options=... and NOT in the form options=... fstype=...
'mount/ok_opt_combo_3.sd',
'mount/ok_opt_combo_2.sd',

366
utils-relax-mount-rules.diff Normal file
View File

@ -0,0 +1,366 @@
commit eee50538da9a240bc151f26c6cff309808d33590
Author: Georgia Garcia <georgia.garcia@canonical.com>
Date: Wed May 8 12:58:42 2024 +0000
Merge MountRule: Relaxing constraints on fstype and completing AARE support
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit baa8b67248f3467cde40683600d7a945b05f9a3b)
dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py
index f62c08e4b..abfa2b75e 100644
--- a/utils/apparmor/rule/mount.py
+++ b/utils/apparmor/rule/mount.py
@@ -23,19 +23,7 @@ from apparmor.translations import init_translation
_ = init_translation()
-# TODO :
-# - match correctly AARE on every field
-# - Find the actual list of supported filesystems. This one comes from /proc/filesystems. We also blindly accept fuse.*
-# - Support path that begin by { (e.g. {,/usr}/lib/...) This syntax is not a valid AARE but is used by usr.lib.snapd.snap-confine.real in Ubuntu and will currently raise an error in genprof if these lines are not modified.
-# - Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules.
-
-valid_fs = [
- 'sysfs', 'tmpfs', 'bdevfs', 'procfs', 'cgroup', 'cgroup2', 'cpuset', 'devtmpfs', 'configfs', 'debugfs', 'tracefs',
- 'securityfs', 'sockfs', 'bpf', 'npipefs', 'ramfs', 'hugetlbfs', 'devpts', 'ext3', 'ext2', 'ext4', 'squashfs',
- 'vfat', 'ecryptfs', 'fuseblk', 'fuse', 'fusectl', 'efivarfs', 'mqueue', 'store', 'autofs', 'binfmt_misc', 'overlay',
- 'none', 'bdev', 'proc', 'pipefs', 'pstore', 'btrfs', 'xfs', '9p', 'resctrl', 'zfs', 'iso9660', 'udf', 'ntfs3',
- 'nfs', 'cifs', 'overlayfs', 'aufs', 'rpc_pipefs', 'msdos', 'nfs4',
-]
+# TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules.
flags_keywords = [
# keep in sync with parser/mount.cc mnt_opts_table!
@@ -48,7 +36,6 @@ flags_keywords = [
'([A-Za-z0-9])',
]
join_valid_flags = '|'.join(flags_keywords)
-join_valid_fs = '|'.join(valid_fs)
sep = r'\s*[\s,]\s*'
@@ -106,27 +93,18 @@ class MountRule(BaseRule):
self.operation = operation
- self.fstype, self.all_fstype, unknown_items = check_and_split_list(fstype[1] if fstype != self.ALL else fstype, valid_fs, self.ALL, type(self).__name__, 'fstype')
-
- if unknown_items:
- for it in unknown_items:
-
- # Several filesystems use fuse internally and are referred as fuse.<software_name> (e.g. fuse.jmtpfs, fuse.s3fs, fuse.obexfs).
- # Since this list seems to evolve too fast for a fixed list to work in practice, we just accept fuse.*
- # See https://github.com/libfuse/libfuse/wiki/Filesystems and, https://doc.ubuntu-fr.org/fuse
- if it.startswith('fuse.') and len(it) > 5:
- continue
-
- it = AARE(it, is_path=False)
- found = False
- for fs in valid_fs:
- if self._is_covered_aare(it, self.all_fstype, AARE(fs, False), self.all_fstype, 'fstype'):
- found = True
- break
- if not found:
- raise AppArmorException(_('Passed unknown fstype keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items)))
-
- self.is_fstype_equal = fstype[0] if not self.all_fstype else None
+ if fstype == self.ALL or fstype[1] == self.ALL:
+ self.all_fstype = True
+ self.fstype = None
+ self.is_fstype_equal = None
+ else:
+ self.all_fstype = False
+ for it in fstype[1]:
+ l, unused = parse_aare(it, 0, 'fstype')
+ if l != len(it):
+ raise AppArmorException(f'Invalid aare : {it}')
+ self.fstype = fstype[1]
+ self.is_fstype_equal = fstype[0]
self.options, self.all_options, unknown_items = check_and_split_list(options[1] if options != self.ALL else options, flags_keywords, self.ALL, type(self).__name__, 'options')
if unknown_items:
@@ -173,7 +151,7 @@ class MountRule(BaseRule):
if r['fstype'] is not None:
is_fstype_equal = r['fstype_equals_or_in']
- fstype = strip_parenthesis(r['fstype']).replace(',', ' ').split()
+ fstype = parse_aare_list(strip_parenthesis(r['fstype']), 'fstype')
else:
is_fstype_equal = None
fstype = cls.ALL
@@ -316,6 +294,38 @@ class MountRuleset(BaseRuleset):
'''Class to handle and store a collection of Mount rules'''
+
+def parse_aare(s, offset, param):
+ parsed = ''
+ brace_count = 0
+ for i, c in enumerate(s[offset:], start=offset):
+ if c in [' ', ',', '\t'] and brace_count == 0:
+ break
+ parsed += c
+ if c == '{':
+ brace_count += 1
+ elif c == '}':
+ brace_count -= 1
+ if brace_count < 0:
+ raise AppArmorException(f"Unmatched closing brace in {param}: {s[offset:]}")
+ offset = i
+
+ if brace_count != 0:
+ raise AppArmorException(f"Unmatched opening brace in {param}: {s[offset:]}")
+
+ return offset + 1, parsed
+
+
+def parse_aare_list(s, param):
+ res = []
+ offset = 0
+ while offset <= len(s):
+ offset, part = parse_aare(s, offset, param)
+ if part.translate(' ,\t') != '':
+ res.append(part)
+ return res
+
+
def wrap_in_with_spaces(value):
''' wrap 'in' keyword in spaces, and leave everything else unchanged '''
diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py
index e37c287c7..7f88ff7db 100644
--- a/utils/test/test-mount.py
+++ b/utils/test/test-mount.py
@@ -20,7 +20,7 @@ from common_test import AATest, setup_all_loops
from apparmor.common import AppArmorException, AppArmorBug
from apparmor.translations import init_translation
-from apparmor.rule.mount import MountRule, valid_fs
+from apparmor.rule.mount import MountRule
_ = init_translation()
@@ -31,34 +31,34 @@ class MountTestParse(AATest):
# Rule Operation Filesystem Options Source Destination Audit Deny Allow Comment
('mount -> **,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '**', False, False, False, '' )),
('mount options=(rw, shared) -> **,', MountRule('mount', MountRule.ALL, ('=', ('rw', 'shared')), MountRule.ALL, '**', False, False, False, '' )),
- ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('bpf')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
- ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.obex*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
- ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
- ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ("bpf")), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )),
+ ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
+ ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.obex*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
+ ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
+ ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )),
('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
+ ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '' )),
('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '' )),
- ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
+ ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )),
('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )),
- ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/a', '/b', False, False, False, '' )),
- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
- ('mount fstype=(ext3, ext4) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
+ ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )),
+ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
+ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
+ ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
+ ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
+ ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
+ ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,',
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/',
'/tmp/snap.rootfs_*{,/usr}/lib/modules/',
False, False, False, '' )),
('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('umount fstype=ext3,', MountRule('umount', ('=', ('ext3')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
+ ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )),
('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('remount fstype=ext4,', MountRule('remount', ('=', ('ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
+ ('remount fstype=ext4,', MountRule('remount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '' )),
)
@@ -72,7 +72,6 @@ class MountTestParse(AATest):
class MountTestParseInvalid(AATest):
tests = (
('mount fstype=,', AppArmorException),
- ('mount fstype=(foo),', AppArmorException),
('mount fstype=(),', AppArmorException),
('mount options=(),', AppArmorException),
('mount option=(invalid),', AppArmorException),
@@ -90,7 +89,7 @@ class MountTestParseInvalid(AATest):
def test_diff_non_mountrule(self):
exp = namedtuple('exp', ('audit', 'deny'))
- obj = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL)
+ obj = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL)
with self.assertRaises(AppArmorBug):
obj.is_equal(exp(False, False), False)
@@ -98,9 +97,25 @@ class MountTestParseInvalid(AATest):
with self.assertRaises(AppArmorBug):
MountRule('mount', ('ext3', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
- def test_diff_invalid_fstype_keyword(self):
- with self.assertRaises(AppArmorException):
- MountRule('mount', ('=', 'invalidfs'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
+ def test_diff_invalid_fstype_aare(self):
+ tests = [
+ 'mount fstype=({unclosed_regex),',
+ 'mount fstype=({closed}twice}),',
+ ]
+
+ for t in tests:
+ with self.assertRaises(AppArmorException):
+ MountRule.create_instance(t)
+
+ def test_diff_invalid_fstype_aare_2(self):
+ fslists = [
+ ['invalid_{_regex'],
+ ['ext4', 'invalid_}_regex'],
+ ['ext4', '{invalid} {regex}']
+ ]
+ for fslist in fslists:
+ with self.assertRaises(AppArmorException):
+ MountRule('mount', ('=', fslist), MountRule.ALL, MountRule.ALL, MountRule.ALL)
def test_diff_invalid_options_equals_or_in(self):
with self.assertRaises(AppArmorBug):
@@ -111,7 +126,7 @@ class MountTestParseInvalid(AATest):
MountRule('mount', MountRule.ALL, ('=', 'invalid'), MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
def test_diff_fstype(self):
- obj1 = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL)
+ obj1 = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL)
obj2 = MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL)
self.assertFalse(obj1.is_equal(obj2, False))
@@ -129,14 +144,6 @@ class MountTestParseInvalid(AATest):
MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL)
-class MountTestFilesystems(AATest):
- def test_fs(self):
- with open('/proc/filesystems') as f:
- for line in f:
- fs_name = line.split()[-1]
- self.assertTrue(fs_name in valid_fs, '/proc/filesystems contains %s which is not listed in MountRule valid_fs' % fs_name)
-
-
class MountTestGlob(AATest):
def test_glob(self):
globList = [(
@@ -199,49 +206,58 @@ class MountIsCoveredTest(AATest):
def test_is_covered(self):
obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*')
tests = [
- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b', '/bar'),
- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/b')
+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b', '/bar'),
+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/b')
]
for test in tests:
self.assertTrue(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
def test_is_covered_fs_source(self):
- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
- self.assertTrue(obj.is_covered(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
- self.assertFalse(obj.is_equal(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
+ self.assertTrue(obj.is_covered(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
+ self.assertFalse(obj.is_equal(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
- def test_is_covered_regex(self):
- obj = MountRule('mount', ('=', ('sys*', 'fuse.*')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
+ def test_is_covered_aare_1(self):
+ obj = MountRule('mount', ('=', ['sys*', 'fuse.*']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
tests = [
- ('mount', ('=', ('sysfs', 'fuse.s3fs')), ('=', ('ro')), 'tmpfs', MountRule.ALL),
- ('mount', ('=', ('sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
+ ('mount', ('=', ['sysfs', 'fuse.s3fs']), ('=', ('ro')), 'tmpfs', MountRule.ALL),
+ ('mount', ('=', ['sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
+ ]
+ for test in tests:
+ self.assertTrue(obj.is_covered(MountRule(*test)))
+ self.assertFalse(obj.is_equal(MountRule(*test)))
+ def test_is_covered_aare_2(self):
+ obj = MountRule('mount', ('=', ['ext{3,4}', '{cgroup*,fuse.*}']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
+ tests = [
+ ('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL),
+ ('mount', ('=', ['ext3', 'ext4', 'cgroup', 'cgroup2', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
]
for test in tests:
self.assertTrue(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
def test_is_notcovered(self):
- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*')
+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/b*')
tests = [
- ('mount', ('in', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ),
- ('mount', ('=', ('procfs', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ),
- ('mount', ('=', ('ext3')), ('=', ('rw')), '/foo/bar', '/bar' ),
- ('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/foo/b*', '/bar' ),
+ ('mount', ('in', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ),
+ ('mount', ('=', ['procfs', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ),
+ ('mount', ('=', ['ext3']), ('=', ('rw')), '/foo/bar', '/bar' ),
+ ('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/foo/b*', '/bar' ),
('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar' ),
- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/invalid/bar', '/bar' ),
+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/invalid/bar', '/bar' ),
('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', '/bar' ),
- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/invalid'),
+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', '/bar' ),
+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/invalid'),
]
for test in tests:
self.assertFalse(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
def test_is_not_covered_fs_source(self):
- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
- test = ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'procfs', MountRule.ALL)
+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
+ test = ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'procfs', MountRule.ALL)
self.assertFalse(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py
index 40f61ef85..451af7d22 100644
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@@ -324,9 +324,6 @@ unknown_line = (
'bare_include_tests/ok_85.sd',
'bare_include_tests/ok_86.sd',
- # mount with fstype using AARE
- 'mount/ok_12.sd',
-
# Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source
'mount/ok_opt_68.sd',
'mount/ok_opt_69.sd',