Accepting request 449596 from home:cboltz
- update to AppArmor 2.10.2 maintenance release - lots of bugfixes and profile updates (including boo#1000201, boo#1009964, boo#1014463) - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details - add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression in aa-unconfined - drop upstream(ed) patches: - changes-since-2.10.1--r3326..3346.diff - changes-since-2.10.1--r3347..3353.diff - libapparmor-fix-import-path.diff (upstream fix is slightly different) - nscd-var-lib.diff - refresh apparmor-abstractions-no-multiline.diff OBS-URL: https://build.opensuse.org/request/show/449596 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=161
This commit is contained in:
parent
5c6de0adb5
commit
8b7ca9d3cb
39
aa-unconfined-fix-netstat-call-2.10r3380.diff
Normal file
39
aa-unconfined-fix-netstat-call-2.10r3380.diff
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
------------------------------------------------------------
|
||||||
|
revno: 3380
|
||||||
|
committer: Steve Beattie <sbeattie@ubuntu.com>
|
||||||
|
branch nick: 2.10
|
||||||
|
timestamp: Mon 2017-01-09 09:22:58 -0800
|
||||||
|
message:
|
||||||
|
Subject: utils/aa-unconfined: fix netstat invocation regression
|
||||||
|
|
||||||
|
It was reported that converting the netstat command to examine
|
||||||
|
processes bound to ipv6 addresses broke on OpenSUSE due to the version
|
||||||
|
of nettools not supporting the short -4 -6 arguments.
|
||||||
|
|
||||||
|
This patch fixes the invocation of netstat to use the "--protocol
|
||||||
|
inet,inet6" arguments instead, which should return the same results
|
||||||
|
as the short options.
|
||||||
|
|
||||||
|
Signed-off-by: Steve Beattie <steve@nxnw.org>
|
||||||
|
Acked-by: Christian Boltz <apparmor@cboltz.de>
|
||||||
|
|
||||||
|
|
||||||
|
=== modified file 'utils/aa-unconfined'
|
||||||
|
--- utils/aa-unconfined 2016-12-05 09:21:27 +0000
|
||||||
|
+++ utils/aa-unconfined 2017-01-09 17:22:58 +0000
|
||||||
|
@@ -46,10 +46,10 @@
|
||||||
|
regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
|
||||||
|
import subprocess
|
||||||
|
if sys.version_info < (3, 0):
|
||||||
|
- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
|
||||||
|
+ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n")
|
||||||
|
else:
|
||||||
|
#Python3 needs to translate a stream of bytes to string with specified encoding
|
||||||
|
- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
|
||||||
|
+ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n")
|
||||||
|
|
||||||
|
for line in output:
|
||||||
|
match = regex_tcp_udp.search(line)
|
||||||
|
|
||||||
|
|
||||||
|
vim:ft=diff
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:07a76f338304baadc4ad69d025fe000b1ab4779a251ae8f338afdc13ef1e0f24
|
|
||||||
size 4494037
|
|
@ -1,17 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQIcBAABCgAGBQJXF0iqAAoJEGaJ5k49NmS7uXAP/Rz605sXSgJ0ZwZQq/kyP4L6
|
|
||||||
Z7nz7Bv5dgRiVP47C1c/Fv+uJkOxJ5nJKRog6KzaLHrjcRMlyAvWRq+F3MtrwE2j
|
|
||||||
6OlhWL3NaPrUwe8Pchgzf89ogssvioD7+qUf/Rg6e7owL8SlWRFkRcOJFAoxqiF1
|
|
||||||
B0itE7geuj6jxADxfo0OUOGW92tH5y31FZcYCCpebUfvalN9JzwYnF9Y6qH2Af3G
|
|
||||||
gX4Xh8tyIIZGyTtQYexPnDle6DQFONsUzmRYaFIpZRYpKHz9HoM13KZTUY4TAZJL
|
|
||||||
VmzxbHS5FzRIOegZVrpydpYkupvQ5CndywaIGDC/7iPQ1cNxdQoxGY4qI/+dB6LZ
|
|
||||||
0ZfRS88TqE/+OglyfLHgxtxPw369PnvB+kWsND5Nqx77q7/UOQUZJZL0A3nKVcUG
|
|
||||||
YlJnV/SIKGSUE4TjQ+xjPMlI8EJgv42rVSRhi3H6g7+02Q1S9VHuzU8byQsx3fw0
|
|
||||||
PzAeBVBoB0i1MduwpZp1kO7L0Yfl+1zyrue8Bd5A5183lbriaSYRqB6MYSKUgf4f
|
|
||||||
rSdEs8azwmqD2jZsIAAuTgZxCf5LKlkKz/u52fKKG9Pa30OC2bSdHz9LLjVKj+OL
|
|
||||||
Lh8lO1hy3nnReLdsh4TKAQsTBsYTZuHXIbqfMxc0oykuRbwBHAjGO22t4wi6vdtp
|
|
||||||
E7Wco+q0mMZzKGjQm6H/
|
|
||||||
=M5Cf
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
apparmor-2.10.2.tar.gz
Normal file
3
apparmor-2.10.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3
|
||||||
|
size 4497918
|
16
apparmor-2.10.2.tar.gz.asc
Normal file
16
apparmor-2.10.2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||||
|
5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj
|
||||||
|
EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA
|
||||||
|
cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi
|
||||||
|
KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY
|
||||||
|
Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi
|
||||||
|
qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa
|
||||||
|
xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1
|
||||||
|
VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF
|
||||||
|
mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL
|
||||||
|
Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T
|
||||||
|
kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3
|
||||||
|
=l0m2
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -3,10 +3,10 @@ Index: profiles/apparmor.d/abstractions/X
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
|
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
|
||||||
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
|
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
|
||||||
@@ -24,12 +24,8 @@
|
@@ -25,12 +25,8 @@
|
||||||
|
|
||||||
# the unix socket to use to connect to the display
|
# the unix socket to use to connect to the display
|
||||||
/tmp/.X11-unix/* w,
|
/tmp/.X11-unix/* rw,
|
||||||
- unix (connect, receive, send)
|
- unix (connect, receive, send)
|
||||||
- type=stream
|
- type=stream
|
||||||
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||||
@ -122,7 +122,7 @@ Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
|
|||||||
|
|
||||||
# Allow connecting to system bus and where to connect to services. Put these
|
# Allow connecting to system bus and where to connect to services. Put these
|
||||||
# here so we don't need to repeat these rules in multiple places (actual
|
# here so we don't need to repeat these rules in multiple places (actual
|
||||||
@@ -58,108 +33,47 @@
|
@@ -58,108 +36,47 @@
|
||||||
# allow apps to brute-force enumerate system services, but our system
|
# allow apps to brute-force enumerate system services, but our system
|
||||||
# services aren't a secret.
|
# services aren't a secret.
|
||||||
/{,var/}run/dbus/system_bus_socket rw,
|
/{,var/}run/dbus/system_bus_socket rw,
|
||||||
@ -282,7 +282,7 @@ Index: profiles/apparmor.d/abstractions/gnome
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
|
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
|
||||||
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
|
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
|
||||||
@@ -88,6 +88,4 @@
|
@@ -91,6 +91,4 @@
|
||||||
|
|
||||||
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
|
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
|
||||||
# rules)
|
# rules)
|
||||||
|
@ -1,3 +1,19 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 10 22:15:56 UTC 2017 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
- update to AppArmor 2.10.2 maintenance release
|
||||||
|
- lots of bugfixes and profile updates (including boo#1000201,
|
||||||
|
boo#1009964, boo#1014463)
|
||||||
|
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details
|
||||||
|
- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression
|
||||||
|
in aa-unconfined
|
||||||
|
- drop upstream(ed) patches:
|
||||||
|
- changes-since-2.10.1--r3326..3346.diff
|
||||||
|
- changes-since-2.10.1--r3347..3353.diff
|
||||||
|
- libapparmor-fix-import-path.diff (upstream fix is slightly different)
|
||||||
|
- nscd-var-lib.diff
|
||||||
|
- refresh apparmor-abstractions-no-multiline.diff
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Oct 23 13:18:43 UTC 2016 - suse-beta@cboltz.de
|
Sun Oct 23 13:18:43 UTC 2016 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#
|
#
|
||||||
# spec file for package apparmor
|
# spec file for package apparmor
|
||||||
#
|
#
|
||||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
# Copyright (c) 2011-2016 Christian Boltz
|
# Copyright (c) 2011-2017 Christian Boltz
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -60,7 +60,7 @@ Name: apparmor
|
|||||||
%if ! %{?distro:1}0
|
%if ! %{?distro:1}0
|
||||||
%define distro suse
|
%define distro suse
|
||||||
%endif
|
%endif
|
||||||
Version: 2.10.1
|
Version: 2.10.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: AppArmor userlevel parser utility
|
Summary: AppArmor userlevel parser utility
|
||||||
License: GPL-2.0+
|
License: GPL-2.0+
|
||||||
@ -82,8 +82,8 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
|
|||||||
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
|
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
|
||||||
Patch3: apparmor-utils-string-split
|
Patch3: apparmor-utils-string-split
|
||||||
|
|
||||||
# upstream changes/fixes from 2.10 branch r3326..3346
|
# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380)
|
||||||
Patch4: changes-since-2.10.1--r3326..3346.diff
|
Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff
|
||||||
|
|
||||||
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
|
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
|
||||||
Patch5: ruby-2_0-mkmf-destdir.patch
|
Patch5: ruby-2_0-mkmf-destdir.patch
|
||||||
@ -95,15 +95,6 @@ Patch6: apparmor-abstractions-no-multiline.diff
|
|||||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||||
Patch7: apparmor-lessopen-profile.patch
|
Patch7: apparmor-lessopen-profile.patch
|
||||||
|
|
||||||
# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet)
|
|
||||||
Patch8: libapparmor-fix-import-path.diff
|
|
||||||
|
|
||||||
# upstream changes/fixes from 2.10 branch r3347..3353
|
|
||||||
Patch9: changes-since-2.10.1--r3347..3353.diff
|
|
||||||
|
|
||||||
# update nscd profile and abstractions/nameservice to allow /var/lib/nscd/ paths (submitted upstream 2016-10-23)
|
|
||||||
Patch10: nscd-var-lib.diff
|
|
||||||
|
|
||||||
Url: https://launchpad.net/apparmor
|
Url: https://launchpad.net/apparmor
|
||||||
PreReq: sed
|
PreReq: sed
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
@ -453,9 +444,6 @@ SubDomain.
|
|||||||
|
|
||||||
%patch6
|
%patch6
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8
|
|
||||||
%patch9
|
|
||||||
%patch10
|
|
||||||
|
|
||||||
# search for left-over multiline rules
|
# search for left-over multiline rules
|
||||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||||
|
@ -1,875 +0,0 @@
|
|||||||
------------------------------------------------------------
|
|
||||||
revno: 3346
|
|
||||||
behebt den Fehler: https://launchpad.net/bugs/1538306
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Mon 2016-08-15 22:06:47 +0200
|
|
||||||
message:
|
|
||||||
Fix aa-logprof "add hat" endless loop
|
|
||||||
|
|
||||||
This turned out to be a simple case of misinterpreting the promptUser()
|
|
||||||
result - it returns the answer and the selected option, and
|
|
||||||
"surprisingly" something like
|
|
||||||
('CMD_ADDHAT', 0)
|
|
||||||
never matched
|
|
||||||
'CMD_ADDHAT'
|
|
||||||
;-)
|
|
||||||
|
|
||||||
I also noticed that the new hat doesn't get initialized as
|
|
||||||
profile_storage(), and that the changed profile doesn't get marked as
|
|
||||||
changed. This is also fixed by this patch.
|
|
||||||
|
|
||||||
|
|
||||||
References: https://bugs.launchpad.net/apparmor/+bug/1538306
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3345
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Fri 2016-08-12 12:02:43 +0200
|
|
||||||
message:
|
|
||||||
type_is_str(): make pyflakes3 happy
|
|
||||||
|
|
||||||
pyflakes3 doesn't check sys.version and therefore complains about
|
|
||||||
'unicode' being undefined.
|
|
||||||
|
|
||||||
This patch defines unicode as alias of str to make pyflakes3 happy, and
|
|
||||||
as a side effect, simplifies type_is_str().
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3344
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Mon 2016-08-08 23:16:12 +0200
|
|
||||||
message:
|
|
||||||
delete_duplicates(): don't modify self.rules while looping over it
|
|
||||||
|
|
||||||
By calling self.delete() inside the delete_duplicates() loop, the
|
|
||||||
self.rules list was modified. This resulted in some rules not being
|
|
||||||
checked and therefore (some, not all) superfluous rules not being
|
|
||||||
removed.
|
|
||||||
|
|
||||||
This patch switches to a temporary variable to loop over, and rebuilds
|
|
||||||
self.rules with the rules that are not superfluous.
|
|
||||||
|
|
||||||
This also fixes some strange issues already marked with a "Huh?" comment
|
|
||||||
in the tests.
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
||||||
|
|
||||||
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
|
|
||||||
therefore the cleanprof_test.out change doesn't make sense for 2.10.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3343
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-08-03 21:53:06 +0200
|
|
||||||
message:
|
|
||||||
winbindd profile: allow dac_override
|
|
||||||
|
|
||||||
This is needed to delete kerberos ccache files, for details see
|
|
||||||
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
|
||||||
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3342
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Sun 2016-07-31 17:15:42 +0200
|
|
||||||
message:
|
|
||||||
logparser: store network-related params if an event looks like network
|
|
||||||
|
|
||||||
Network events can come with an operation= that looks like a file event.
|
|
||||||
Nevertheless, if the event has a typical network parameter (like
|
|
||||||
net_protocol) set, make sure to store the network-related flags in ev.
|
|
||||||
|
|
||||||
This fixes the test failure introduced in my last commit.
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3341
|
|
||||||
behebt den Fehler: https://launchpad.net/bugs/1577051
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Sat 2016-07-30 00:44:18 +0200
|
|
||||||
message:
|
|
||||||
logparser.py: ignore network events with 'send receive'
|
|
||||||
|
|
||||||
We already ignore network events that look like file events (based on
|
|
||||||
the operation keyword) if they have a request_mask of 'send' or
|
|
||||||
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
|
|
||||||
It turned out that both can happen at once, so we should also ignore
|
|
||||||
this case.
|
|
||||||
|
|
||||||
Also add the now-ignored log event as test_multi testcase.
|
|
||||||
|
|
||||||
|
|
||||||
References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3340
|
|
||||||
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Fri 2016-07-29 11:46:16 -0700
|
|
||||||
message:
|
|
||||||
add ld.so.preload to <abstractions/base>, thanks to Uzair Shamim
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3339
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Tue 2016-07-26 21:13:49 +0200
|
|
||||||
message:
|
|
||||||
Allow mr for /usr/lib*/ldb/*.so in samba abstractions
|
|
||||||
|
|
||||||
This is needed for winbindd (since samba 4.4.x), but smbd could also need it.
|
|
||||||
|
|
||||||
References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3338
|
|
||||||
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Fri 2016-06-24 10:36:42 -0700
|
|
||||||
message:
|
|
||||||
intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3337
|
|
||||||
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-06-22 15:15:42 -0700
|
|
||||||
message:
|
|
||||||
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
||||||
Date: Tue, 21 Jun 2016 18:18:45 +0100
|
|
||||||
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf
|
|
||||||
|
|
||||||
Follow the same logic we already did for NetworkManager,
|
|
||||||
resolvconf and systemd-resolved. The wonderful thing about
|
|
||||||
standards is that there are so many to choose from.
|
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
||||||
|
|
||||||
[modified by sarnold to fit the surroundings]
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3336
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Sun 2016-06-05 23:43:55 +0200
|
|
||||||
message:
|
|
||||||
Add a note about still enforcing deny rules to aa-complain manpage
|
|
||||||
|
|
||||||
This behaviour makes sense (for example to force the confined program to
|
|
||||||
use a fallback path), but is probably surprising for users, so we should
|
|
||||||
document it.
|
|
||||||
|
|
||||||
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3335
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Sun 2016-06-05 20:07:33 +0200
|
|
||||||
message:
|
|
||||||
honor 'chown' file events in logparser.py
|
|
||||||
|
|
||||||
Also add a testcase to libapparmor's log collection
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3334
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-06-01 21:06:25 +0200
|
|
||||||
message:
|
|
||||||
aa-genprof: ask about profiles in extra dir (again)
|
|
||||||
|
|
||||||
Thanks to reading the wrong directory in read_inactive_profiles()
|
|
||||||
(profile_dir instead of extra_profile_dir), aa-genprof never asked about
|
|
||||||
using a profile from the extra_profile_dir.
|
|
||||||
|
|
||||||
Sounds like an easy fix, right? ;-)
|
|
||||||
|
|
||||||
After fixing this (last chunk), several other errors popped up, one
|
|
||||||
after the other:
|
|
||||||
- get_profile() missed a required parameter in a serialize_profile() call
|
|
||||||
- when saving the profile, it was written to extra_profile_dir, not to
|
|
||||||
profile_dir where it (as a now-active profile) should be. This is
|
|
||||||
fixed by removing the filename from existing_profiles{} so that it can
|
|
||||||
pick up the default name.
|
|
||||||
- CMD_FINISHED (when asking if the extra profile should be used or a new
|
|
||||||
one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising
|
|
||||||
for the user. Remove it to avoid confusion.
|
|
||||||
- displaying the extra profile was only implemented in YaST mode
|
|
||||||
- get_pager() returned None, not an actual pager. Since we have 'less'
|
|
||||||
hardcoded at several places, also return it in get_pager()
|
|
||||||
|
|
||||||
Finally, also remove CMD_FINISHED from the get_profile() test in
|
|
||||||
test-translations.py.
|
|
||||||
|
|
||||||
|
|
||||||
(test-translations.py is only in trunk, therefore this part of the patch
|
|
||||||
is obviously trunk-only.)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk
|
|
||||||
Acked-by: John Johansen <john.johansen@canonical.com> for trunk + a 50% ACK for 2.10 and 2.9
|
|
||||||
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3333
|
|
||||||
behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Mon 2016-05-23 23:32:23 +0200
|
|
||||||
message:
|
|
||||||
Ignore file events with a request mask of 'send' or 'receive'
|
|
||||||
|
|
||||||
Those events are actually network events, so ideally we should map them
|
|
||||||
as such. Unfortunately this requires bigger changes, so here is a hotfix
|
|
||||||
that ignores those events and thus avoids crashing aa-logprof.
|
|
||||||
|
|
||||||
References: https://bugs.launchpad.net/apparmor/+bug/1577051
|
|
||||||
https://bugs.launchpad.net/apparmor/+bug/1582374
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3332
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Sun 2016-05-22 14:51:55 +0200
|
|
||||||
message:
|
|
||||||
Document empty quotes ("") as empty value of a variable
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches where this makes sense :)
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3331
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-05-18 21:18:34 +0200
|
|
||||||
message:
|
|
||||||
allow inet6 in ping profile
|
|
||||||
|
|
||||||
The latest iputils merged ping and ping6 into a single binary that does
|
|
||||||
both IPv4 and IPv6 pings (by default, it really does both).
|
|
||||||
This means we need to allow network inet6 raw in the ping profile.
|
|
||||||
|
|
||||||
References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596
|
|
||||||
(contains more details and example output)
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3330
|
|
||||||
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-05-11 17:23:22 -0700
|
|
||||||
message:
|
|
||||||
dbus-session-strict: allow access to the user bus socket
|
|
||||||
|
|
||||||
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
||||||
Date: Wed, 4 May 2016 13:48:36 +0100
|
|
||||||
Subject: dbus-session-strict: allow access to the user bus socket
|
|
||||||
|
|
||||||
If dbus is configured with --enable-user-bus (for example in the
|
|
||||||
dbus-user-session package in Debian and its derivatives), and the user
|
|
||||||
session is started with systemd, then the "dbus-daemon --session" will be
|
|
||||||
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
|
|
||||||
on systems where dbus-daemon has been replaced with kdbus, the
|
|
||||||
bridge/proxy used to provide compatibility with the traditional D-Bus
|
|
||||||
protocol listens on that same socket.
|
|
||||||
|
|
||||||
In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
|
|
||||||
where $uid represents the numeric uid. I have not used /{var/,}run here,
|
|
||||||
because systemd does not support configurations where /var/run and /run
|
|
||||||
are distinct; in practice, /var/run is a symbolic link.
|
|
||||||
|
|
||||||
Based on a patch by Sjoerd Simons, which originally used the historical
|
|
||||||
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
|
|
||||||
user-session-units git repository, but has never been used in a released
|
|
||||||
version of dbus and should be considered unsupported.
|
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3329
|
|
||||||
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-05-11 16:30:29 -0700
|
|
||||||
message:
|
|
||||||
syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
|
|
||||||
|
|
||||||
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
||||||
Date: Wed, 11 May 2016 13:52:56 +0100
|
|
||||||
Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
|
|
||||||
|
|
||||||
This test attempts to auto-skip the sysctl() part if that syscall
|
|
||||||
was not compiled into the current kernel, via
|
|
||||||
CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work,
|
|
||||||
for two reasons:
|
|
||||||
|
|
||||||
* Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if",
|
|
||||||
and it had nonzero exit status, the trap on ERR was triggered,
|
|
||||||
causing execution of the error_handler() shell function, which
|
|
||||||
aborts the test with a failed status. The rules for ERR are the
|
|
||||||
same as for "set -e", so we can circumvent it in the same ways.
|
|
||||||
* Because sysctl_syscall.c prints its diagnostic message to stderr,
|
|
||||||
but the $() operator only captures stdout, it never matched
|
|
||||||
in the string comparison. This is easily solved by redirecting
|
|
||||||
its stderr to stdout.
|
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3328
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Tue 2016-05-10 14:34:40 +0200
|
|
||||||
message:
|
|
||||||
load variables in ask_the_questions()
|
|
||||||
|
|
||||||
Variables can be used in several rule types (from the existing *Rule
|
|
||||||
classes: change_profile, dbus, ptrace, signal). It seems nobody uses
|
|
||||||
variables with those rules, otherwise we'd have received a bugreport ;-)
|
|
||||||
|
|
||||||
I noticed this while working on FileRule, where usage of variables is
|
|
||||||
more common. The file code in bzr (not using a *Rule class) already
|
|
||||||
loads the variables, so old versions don't need changes for file rule
|
|
||||||
handling.
|
|
||||||
|
|
||||||
However, 2.10 already has ChangeProfileRule and therefore also needs
|
|
||||||
this fix.
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3327
|
|
||||||
behebt den Fehler: https://launchpad.net/bugs/1453300
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Thu 2016-05-05 12:02:11 +0200
|
|
||||||
message:
|
|
||||||
accept hostname with dots
|
|
||||||
|
|
||||||
Some people have the full hostname in their syslog messages, so
|
|
||||||
libapparmor needs to accept hostnames that contain dots.
|
|
||||||
|
|
||||||
|
|
||||||
References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments
|
|
||||||
#1 and #2 (the log samples reported by scrx in #apparmor)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
Acked-by: John Johansen <john.johansen@canonical.com>
|
|
||||||
for trunk, 2.10 and 2.9.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3326
|
|
||||||
tags: apparmor_2.10.1
|
|
||||||
committer: John Johansen <john.johansen@canonical.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-04-20 02:07:34 -0700
|
|
||||||
message:
|
|
||||||
common/Version: prepare for 2.10.1 release
|
|
||||||
=== modified file 'changehat/mod_apparmor/mod_apparmor.pod'
|
|
||||||
--- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000
|
|
||||||
+++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000
|
|
||||||
@@ -65,7 +65,7 @@
|
|
||||||
|
|
||||||
AAHatName allows you to specify a hat to be used for a given Apache
|
|
||||||
E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or
|
|
||||||
-E<lt>LocationMatchE<gt> directive (see the Apache documenation for more
|
|
||||||
+E<lt>LocationMatchE<gt> directive (see the Apache documentation for more
|
|
||||||
details). Note that mod_apparmor behavior can become confused if
|
|
||||||
E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled
|
|
||||||
and it is recommended to use one type of directive. If the hat specified by
|
|
||||||
|
|
||||||
=== modified file 'libraries/libapparmor/src/scanner.l'
|
|
||||||
--- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000
|
|
||||||
+++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000
|
|
||||||
@@ -178,7 +178,7 @@
|
|
||||||
hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2}
|
|
||||||
timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2}
|
|
||||||
syslog_time {hhmmss}({period}{digits})?{timezone}?
|
|
||||||
-syslog_hostname [[:alnum:]_-]+
|
|
||||||
+syslog_hostname [[:alnum:]._-]+
|
|
||||||
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
|
|
||||||
|
|
||||||
%x single_quoted_string
|
|
||||||
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err'
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in'
|
|
||||||
--- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000
|
|
||||||
+++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000
|
|
||||||
@@ -0,0 +1,1 @@
|
|
||||||
+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4
|
|
||||||
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out'
|
|
||||||
--- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000
|
|
||||||
+++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+START
|
|
||||||
+File: file_chown.in
|
|
||||||
+Event type: AA_RECORD_DENIED
|
|
||||||
+Audit ID: 1465133533.431:728
|
|
||||||
+Operation: chown
|
|
||||||
+Mask: w
|
|
||||||
+Denied Mask: w
|
|
||||||
+fsuid: 0
|
|
||||||
+ouid: 4
|
|
||||||
+Profile: /usr/sbin/cupsd
|
|
||||||
+Name: /run/cups/certs/
|
|
||||||
+Command: cupsd
|
|
||||||
+PID: 8515
|
|
||||||
+Epoch: 1465133533
|
|
||||||
+Audit subid: 728
|
|
||||||
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err'
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in'
|
|
||||||
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000
|
|
||||||
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000
|
|
||||||
@@ -0,0 +1,1 @@
|
|
||||||
+Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110
|
|
||||||
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out'
|
|
||||||
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000
|
|
||||||
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+START
|
|
||||||
+File: syslog_hostname_with_dot.in
|
|
||||||
+Event type: AA_RECORD_ALLOWED
|
|
||||||
+Audit ID: 1442256553.643:40143
|
|
||||||
+Operation: open
|
|
||||||
+Mask: r
|
|
||||||
+Denied Mask: r
|
|
||||||
+fsuid: 1000
|
|
||||||
+ouid: 110
|
|
||||||
+Profile: /opt/evoke/venv/bin/gunicorn
|
|
||||||
+Name: /opt/evoke/venv/lib/python2.7/warnings.pyc
|
|
||||||
+Command: gunicorn
|
|
||||||
+PID: 28943
|
|
||||||
+Epoch: 1442256553
|
|
||||||
+Audit subid: 40143
|
|
||||||
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err'
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in'
|
|
||||||
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000
|
|
||||||
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000
|
|
||||||
@@ -0,0 +1,1 @@
|
|
||||||
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"
|
|
||||||
|
|
||||||
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out'
|
|
||||||
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000
|
|
||||||
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000
|
|
||||||
@@ -0,0 +1,19 @@
|
|
||||||
+START
|
|
||||||
+File: testcase_network_send_receive.in
|
|
||||||
+Event type: AA_RECORD_ALLOWED
|
|
||||||
+Audit ID: 1469785325.122:21021
|
|
||||||
+Operation: file_inherit
|
|
||||||
+Mask: send receive
|
|
||||||
+Denied Mask: send receive
|
|
||||||
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
|
|
||||||
+Command: sh
|
|
||||||
+PID: 18239
|
|
||||||
+Network family: inet
|
|
||||||
+Socket type: stream
|
|
||||||
+Protocol: tcp
|
|
||||||
+Local addr: 192.168.10.3
|
|
||||||
+Foreign addr: 54.153.70.241
|
|
||||||
+Local port: 50758
|
|
||||||
+Foreign port: 443
|
|
||||||
+Epoch: 1469785325
|
|
||||||
+Audit subid: 21021
|
|
||||||
|
|
||||||
=== modified file 'parser/apparmor.d.pod'
|
|
||||||
--- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000
|
|
||||||
+++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000
|
|
||||||
@@ -1234,7 +1234,8 @@
|
|
||||||
|
|
||||||
The parser will automatically expand variables to include all values
|
|
||||||
that they have been assigned; it is an error to reference a variable
|
|
||||||
-without setting at least one value.
|
|
||||||
+without setting at least one value. You can use empty quotes ("") to
|
|
||||||
+explicitly add an empty value.
|
|
||||||
|
|
||||||
At the time of this writing, the following variables are defined in the
|
|
||||||
provided AppArmor policy:
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/abstractions/base'
|
|
||||||
--- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000
|
|
||||||
+++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000
|
|
||||||
@@ -47,6 +47,7 @@
|
|
||||||
# ld.so.cache and ld are used to load shared libraries; they are best
|
|
||||||
# available everywhere
|
|
||||||
/etc/ld.so.cache mr,
|
|
||||||
+ /etc/ld.so.preload r,
|
|
||||||
/lib{,32,64}/ld{,32,64}-*.so mrix,
|
|
||||||
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
|
|
||||||
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/abstractions/dbus-session-strict'
|
|
||||||
--- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000
|
|
||||||
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000
|
|
||||||
@@ -17,6 +17,9 @@
|
|
||||||
type=stream
|
|
||||||
peer=(addr="@/tmp/dbus-*"),
|
|
||||||
|
|
||||||
+ # dbus with systemd and --enable-user-session
|
|
||||||
+ owner /run/user/[0-9]*/bus rw,
|
|
||||||
+
|
|
||||||
dbus send
|
|
||||||
bus=session
|
|
||||||
path=/org/freedesktop/DBus
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
|
|
||||||
--- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000
|
|
||||||
+++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000
|
|
||||||
@@ -33,14 +33,10 @@
|
|
||||||
/var/lib/sss/pipes/nss rw,
|
|
||||||
|
|
||||||
/etc/resolv.conf r,
|
|
||||||
- # on systems using resolvconf, /etc/resolv.conf is a symlink to
|
|
||||||
- # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
|
|
||||||
- # /etc/resolvconf/run/resolv.conf
|
|
||||||
- /{,var/}run/resolvconf/resolv.conf r,
|
|
||||||
+ # On systems where /etc/resolv.conf is managed programmatically, it is
|
|
||||||
+ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
|
|
||||||
+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
|
|
||||||
/etc/resolvconf/run/resolv.conf r,
|
|
||||||
- # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
|
|
||||||
- # /run/systemd/resolve/resolv.conf
|
|
||||||
- /{,var/}run/systemd/resolve/resolv.conf r,
|
|
||||||
|
|
||||||
/etc/samba/lmhosts r,
|
|
||||||
/etc/services r,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/abstractions/samba'
|
|
||||||
--- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000
|
|
||||||
+++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000
|
|
||||||
@@ -10,6 +10,7 @@
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
/etc/samba/* r,
|
|
||||||
+ /usr/lib*/ldb/*.so mr,
|
|
||||||
/usr/share/samba/*.dat r,
|
|
||||||
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
|
|
||||||
/var/cache/samba/ w,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/bin.ping'
|
|
||||||
--- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000
|
|
||||||
+++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
capability net_raw,
|
|
||||||
capability setuid,
|
|
||||||
network inet raw,
|
|
||||||
+ network inet6 raw,
|
|
||||||
|
|
||||||
/{,usr/}bin/ping mixr,
|
|
||||||
/etc/modules.conf r,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
|
|
||||||
--- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000
|
|
||||||
@@ -7,6 +7,7 @@
|
|
||||||
|
|
||||||
deny capability block_suspend,
|
|
||||||
|
|
||||||
+ capability dac_override,
|
|
||||||
capability ipc_lock,
|
|
||||||
capability setuid,
|
|
||||||
|
|
||||||
|
|
||||||
=== modified file 'tests/regression/apparmor/syscall_sysctl.sh'
|
|
||||||
--- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000
|
|
||||||
+++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000
|
|
||||||
@@ -149,8 +149,7 @@
|
|
||||||
# generally we want to encourage kernels to disable it, but if it's
|
|
||||||
# enabled we want to test against it
|
|
||||||
settest syscall_sysctl
|
|
||||||
-res=$(${test} ro)
|
|
||||||
-if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
|
|
||||||
+if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
|
|
||||||
echo " WARNING: syscall sysctl not implemented, skipping tests ..."
|
|
||||||
else
|
|
||||||
test_syscall_sysctl
|
|
||||||
|
|
||||||
=== modified file 'utils/aa-complain.pod'
|
|
||||||
--- utils/aa-complain.pod 2014-09-15 18:30:47 +0000
|
|
||||||
+++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000
|
|
||||||
@@ -41,6 +41,8 @@
|
|
||||||
In this mode security policy is not enforced but rather access violations
|
|
||||||
are logged to the system log.
|
|
||||||
|
|
||||||
+Note that 'deny' rules will be enforced even in complain mode.
|
|
||||||
+
|
|
||||||
=head1 BUGS
|
|
||||||
|
|
||||||
If you find any bugs, please report them at
|
|
||||||
|
|
||||||
=== modified file 'utils/aa-mergeprof'
|
|
||||||
--- utils/aa-mergeprof 2015-07-06 20:02:34 +0000
|
|
||||||
+++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000
|
|
||||||
@@ -1,6 +1,7 @@
|
|
||||||
#! /usr/bin/env python
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
|
|
||||||
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
@@ -17,7 +18,7 @@
|
|
||||||
import os
|
|
||||||
|
|
||||||
import apparmor.aa
|
|
||||||
-from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes
|
|
||||||
+from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes
|
|
||||||
import apparmor.aamode
|
|
||||||
from apparmor.common import AppArmorException
|
|
||||||
from apparmor.regex import re_match_include
|
|
||||||
@@ -283,6 +284,9 @@
|
|
||||||
if not sev_db:
|
|
||||||
sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
|
|
||||||
|
|
||||||
+ sev_db.unload_variables()
|
|
||||||
+ sev_db.load_variables(get_profile_filename(profile))
|
|
||||||
+
|
|
||||||
for hat in sorted(other.aa[profile].keys()):
|
|
||||||
#Add the includes from the other profile to the user profile
|
|
||||||
done = False
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/aa.py'
|
|
||||||
--- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000
|
|
||||||
+++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
|
|
||||||
-# Copyright (C) 2014-2015 Christian Boltz <apparmor@cboltz.de>
|
|
||||||
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
@@ -557,8 +557,11 @@
|
|
||||||
inactive_profile[prof_name][prof_name].pop('filename')
|
|
||||||
profile_hash[uname]['username'] = uname
|
|
||||||
profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL'
|
|
||||||
- profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name)
|
|
||||||
+ profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None)
|
|
||||||
profile_hash[uname]['profile_data'] = inactive_profile
|
|
||||||
+
|
|
||||||
+ existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir
|
|
||||||
+
|
|
||||||
# If no profiles in repo and no inactive profiles
|
|
||||||
if not profile_hash.keys():
|
|
||||||
return None
|
|
||||||
@@ -579,18 +582,13 @@
|
|
||||||
|
|
||||||
q = aaui.PromptQuestion()
|
|
||||||
q.headers = ['Profile', prof_name]
|
|
||||||
- q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE',
|
|
||||||
- 'CMD_ABORT', 'CMD_FINISHED']
|
|
||||||
+ q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT']
|
|
||||||
q.default = "CMD_VIEW_PROFILE"
|
|
||||||
q.options = options
|
|
||||||
q.selected = 0
|
|
||||||
|
|
||||||
ans = ''
|
|
||||||
while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans:
|
|
||||||
- if ans == 'CMD_FINISHED':
|
|
||||||
- save_profiles()
|
|
||||||
- return
|
|
||||||
-
|
|
||||||
ans, arg = q.promptUser()
|
|
||||||
p = profile_hash[options[arg]]
|
|
||||||
q.selected = options.index(options[arg])
|
|
||||||
@@ -602,12 +600,13 @@
|
|
||||||
'profile_type': p['profile_type']
|
|
||||||
})
|
|
||||||
ypath, yarg = GetDataFromYast()
|
|
||||||
- #else:
|
|
||||||
- # pager = get_pager()
|
|
||||||
- # proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
|
|
||||||
+ else:
|
|
||||||
+ pager = get_pager()
|
|
||||||
+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
|
|
||||||
# proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
|
|
||||||
# (options[arg], p['profile']))
|
|
||||||
- # proc.kill()
|
|
||||||
+ proc.communicate(p['profile'].encode())
|
|
||||||
+ proc.kill()
|
|
||||||
elif ans == 'CMD_USE_PROFILE':
|
|
||||||
if p['profile_type'] == 'INACTIVE_LOCAL':
|
|
||||||
profile_data = p['profile_data']
|
|
||||||
@@ -658,6 +657,7 @@
|
|
||||||
if not profile_data:
|
|
||||||
profile_data = create_new_profile(pname)
|
|
||||||
file = get_profile_filename(pname)
|
|
||||||
+ profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename
|
|
||||||
attach_profile_data(aa, profile_data)
|
|
||||||
attach_profile_data(original_aa, profile_data)
|
|
||||||
if os.path.isfile(profile_dir + '/tunables/global'):
|
|
||||||
@@ -1095,7 +1095,7 @@
|
|
||||||
|
|
||||||
seen_events += 1
|
|
||||||
|
|
||||||
- ans = q.promptUser()
|
|
||||||
+ ans = q.promptUser()[0]
|
|
||||||
|
|
||||||
if ans == 'CMD_FINISHED':
|
|
||||||
save_profiles()
|
|
||||||
@@ -1105,7 +1105,9 @@
|
|
||||||
|
|
||||||
if ans == 'CMD_ADDHAT':
|
|
||||||
hat = uhat
|
|
||||||
+ aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat')
|
|
||||||
aa[profile][hat]['flags'] = aa[profile][profile]['flags']
|
|
||||||
+ changed[profile] = True
|
|
||||||
elif ans == 'CMD_USEDEFAULT':
|
|
||||||
hat = default_hat
|
|
||||||
elif ans == 'CMD_DENY':
|
|
||||||
@@ -1590,6 +1592,10 @@
|
|
||||||
UI_SelectUpdatedRepoProfile(profile, p)
|
|
||||||
|
|
||||||
found += 1
|
|
||||||
+
|
|
||||||
+ sev_db.unload_variables()
|
|
||||||
+ sev_db.load_variables(get_profile_filename(profile))
|
|
||||||
+
|
|
||||||
# Sorted list of hats with the profile name coming first
|
|
||||||
hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys())))
|
|
||||||
if log_dict[aamode][profile].get(profile, False):
|
|
||||||
@@ -2305,7 +2311,7 @@
|
|
||||||
reload_base(profile_name)
|
|
||||||
|
|
||||||
def get_pager():
|
|
||||||
- pass
|
|
||||||
+ return 'less'
|
|
||||||
|
|
||||||
def generate_diff(oldprofile, newprofile):
|
|
||||||
oldtemp = tempfile.NamedTemporaryFile('w')
|
|
||||||
@@ -2504,7 +2510,7 @@
|
|
||||||
except:
|
|
||||||
fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir)
|
|
||||||
|
|
||||||
- for file in os.listdir(profile_dir):
|
|
||||||
+ for file in os.listdir(extra_profile_dir):
|
|
||||||
if os.path.isfile(extra_profile_dir + '/' + file):
|
|
||||||
if is_skippable_file(file):
|
|
||||||
continue
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/common.py'
|
|
||||||
--- utils/apparmor/common.py 2015-12-17 22:38:02 +0000
|
|
||||||
+++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000
|
|
||||||
@@ -245,11 +245,12 @@
|
|
||||||
return False
|
|
||||||
return True
|
|
||||||
|
|
||||||
+if sys.version_info[0] > 2:
|
|
||||||
+ unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str.
|
|
||||||
+
|
|
||||||
def type_is_str(var):
|
|
||||||
''' returns True if the given variable is a str (or unicode string when using python 2)'''
|
|
||||||
- if type(var) == str:
|
|
||||||
- return True
|
|
||||||
- elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type
|
|
||||||
+ if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type
|
|
||||||
return True
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/logparser.py'
|
|
||||||
--- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000
|
|
||||||
+++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000
|
|
||||||
@@ -133,7 +133,7 @@
|
|
||||||
ev['denied_mask'] = event.denied_mask
|
|
||||||
ev['request_mask'] = event.requested_mask
|
|
||||||
ev['magic_token'] = event.magic_token
|
|
||||||
- if ev['operation'] and self.op_type(ev['operation']) == 'net':
|
|
||||||
+ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol):
|
|
||||||
ev['family'] = event.net_family
|
|
||||||
ev['protocol'] = event.net_protocol
|
|
||||||
ev['sock_type'] = event.net_sock_type
|
|
||||||
@@ -278,7 +278,7 @@
|
|
||||||
self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile'])
|
|
||||||
|
|
||||||
elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or
|
|
||||||
- e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src',
|
|
||||||
+ e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src',
|
|
||||||
'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link',
|
|
||||||
'sysctl', 'getattr', 'setattr', 'xattr'] ):
|
|
||||||
|
|
||||||
@@ -289,6 +289,13 @@
|
|
||||||
self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e)
|
|
||||||
return None
|
|
||||||
|
|
||||||
+ # sometimes network events come with an e['operation'] that matches the list of file operations
|
|
||||||
+ # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
|
|
||||||
+ # XXX these events are network events, so we should map them as such
|
|
||||||
+ if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
|
|
||||||
+ self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
# Map c (create) and d (delete) to w (logging is more detailed than the profile language)
|
|
||||||
rmask = e['request_mask']
|
|
||||||
rmask = rmask.replace('c', 'w')
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/rule/__init__.py'
|
|
||||||
--- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000
|
|
||||||
+++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000
|
|
||||||
@@ -312,10 +312,13 @@
|
|
||||||
|
|
||||||
# delete rules that are covered by include files
|
|
||||||
if include_rules:
|
|
||||||
- for rule in self.rules:
|
|
||||||
- if include_rules.is_covered(rule, True, True):
|
|
||||||
- self.delete(rule)
|
|
||||||
+ oldrules = self.rules
|
|
||||||
+ self.rules = []
|
|
||||||
+ for rule in oldrules:
|
|
||||||
+ if include_rules.is_covered(rule, True, False):
|
|
||||||
deleted += 1
|
|
||||||
+ else:
|
|
||||||
+ self.rules.append(rule)
|
|
||||||
|
|
||||||
# de-duplicate rules inside the profile
|
|
||||||
deleted += self.delete_in_profile_duplicates()
|
|
||||||
|
|
||||||
=== modified file 'utils/test/test-capability.py'
|
|
||||||
--- utils/test/test-capability.py 2015-11-23 23:22:37 +0000
|
|
||||||
+++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000
|
|
||||||
@@ -817,7 +817,6 @@
|
|
||||||
inc.add(CapabilityRule.parse(rule))
|
|
||||||
|
|
||||||
expected_raw = [
|
|
||||||
- ' allow capability sys_admin,', # XXX huh? should be deleted!
|
|
||||||
' deny capability chgrp, # example comment',
|
|
||||||
'',
|
|
||||||
]
|
|
||||||
@@ -825,11 +824,9 @@
|
|
||||||
expected_clean = [
|
|
||||||
' deny capability chgrp, # example comment',
|
|
||||||
'',
|
|
||||||
- ' allow capability sys_admin,', # XXX huh? should be deleted!
|
|
||||||
- '',
|
|
||||||
]
|
|
||||||
|
|
||||||
- self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
|
|
||||||
+ self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
|
|
||||||
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
|
|
||||||
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
|
|
||||||
|
|
||||||
|
|
@ -1,324 +0,0 @@
|
|||||||
------------------------------------------------------------
|
|
||||||
revno: 3353
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Thu 2016-10-13 20:29:59 +0200
|
|
||||||
message:
|
|
||||||
syslog-ng profile: allow writing *.qf files
|
|
||||||
|
|
||||||
These files are needed for disk-based buffering (added in syslog-ng 3.8).
|
|
||||||
This was reported to me by Peter Czanik, one of the syslog-ng developers.
|
|
||||||
|
|
||||||
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
|
|
||||||
I prefer not to do it - adding it later is easy, but finding out if it
|
|
||||||
could be removed is hard ;-)
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3352
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Wed 2016-10-05 20:53:37 +0200
|
|
||||||
message:
|
|
||||||
Add missing permissions to dovecot profiles
|
|
||||||
|
|
||||||
- dovecot/auth: allow to read stats-user
|
|
||||||
- dovecot/config: allow to read /usr/share/dovecot/**
|
|
||||||
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
|
|
||||||
/usr/share/dovecot/**
|
|
||||||
|
|
||||||
These things were reported by Félix Sipma in Debian Bug#835826
|
|
||||||
(with some help from sarnold on IRC)
|
|
||||||
|
|
||||||
References: https://bugs.debian.org/835826
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Also allow reading ~/.dovecot.svbin (that's the default filename in the
|
|
||||||
dovecot config) in dovecot/lmtp profile.
|
|
||||||
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
|
|
||||||
that's already covered by the existing rules.)
|
|
||||||
|
|
||||||
References: https://bugs.debian.org/835826 (again)
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3351
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Mon 2016-10-03 21:02:15 +0200
|
|
||||||
message:
|
|
||||||
Drop CMD_CONTINUE from ui.py (twice)
|
|
||||||
|
|
||||||
The latest version of pyflakes (1.3.0 / python 3.5) complains that
|
|
||||||
CMD_CONTINUE is defined twice in ui.py (with different texts).
|
|
||||||
|
|
||||||
Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3350
|
|
||||||
behebt den Fehler: https://launchpad.net/bugs/1379874
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Sat 2016-10-01 20:25:51 +0200
|
|
||||||
message:
|
|
||||||
[39/38] Ignore exec events for non-existing profiles
|
|
||||||
|
|
||||||
The switch to FileRule made some bugs visible that survived unnoticed
|
|
||||||
with hasher for years.
|
|
||||||
|
|
||||||
If aa-logprof sees an exec event for a non-existing profile _and_ a
|
|
||||||
profile file matching the expected profile filename exists in
|
|
||||||
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
|
|
||||||
being silent). In the old code, this created a superfluous entry
|
|
||||||
somewhere in the aa hasher, and caused the existing profile to be
|
|
||||||
rewritten (without changes).
|
|
||||||
|
|
||||||
However, with FileRule it causes a crash saying
|
|
||||||
|
|
||||||
File ".../utils/apparmor/aa.py", line 1335, in handle_children
|
|
||||||
aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
|
|
||||||
AttributeError: 'collections.defaultdict' object has no attribute 'add'
|
|
||||||
|
|
||||||
This patch makes sure exec events for unknown profiles get ignored.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Reproducer:
|
|
||||||
|
|
||||||
python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
|
|
||||||
|
|
||||||
This causes a crash without this patch because
|
|
||||||
/etc/apparmor.d/sbin.klogd exists, but has
|
|
||||||
profile klogd /{usr/,}sbin/klogd {
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
References: https://bugs.launchpad.net/bugs/1379874
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
|
|
||||||
|
|
||||||
|
|
||||||
*** *** *** backport
|
|
||||||
*** *** *** --fixes lp:1379874
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3349
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Fri 2016-09-30 00:08:08 +0200
|
|
||||||
message:
|
|
||||||
Allow both paths in traceroute profile
|
|
||||||
|
|
||||||
In 2011 (r1803), the traceroute profile was changed to also match
|
|
||||||
/usr/bin/traceroute.db:
|
|
||||||
/usr/{sbin/traceroute,bin/traceroute.db} {
|
|
||||||
|
|
||||||
However, permissions for /usr/bin/traceroute.db were never added.
|
|
||||||
This patch fixes this.
|
|
||||||
|
|
||||||
|
|
||||||
While on it, also change the /usr/sbin/traceroute permissions from
|
|
||||||
rmix to the less confusing mrix.
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3348
|
|
||||||
committer: Tyler Hicks <tyhicks@canonical.com>
|
|
||||||
branch nick: apparmor-2.10
|
|
||||||
timestamp: Wed 2016-09-14 12:50:43 -0500
|
|
||||||
message:
|
|
||||||
libapparmor: Force libtoolize to replace existing files
|
|
||||||
|
|
||||||
Fixes build error when attempting to build and test the 2.10.95 release
|
|
||||||
on Ubuntu 14.04:
|
|
||||||
|
|
||||||
$ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \
|
|
||||||
make && make check) > /dev/null
|
|
||||||
...
|
|
||||||
libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the
|
|
||||||
libtool: definition of this LT_INIT comes from libtool 2.4.2.
|
|
||||||
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1
|
|
||||||
libtool: and run autoconf again.
|
|
||||||
make[2]: *** [grammar.lo] Error 63
|
|
||||||
make[1]: *** [all] Error 2
|
|
||||||
make: *** [all-recursive] Error 1
|
|
||||||
|
|
||||||
The --force option is needed to regenerate the libtool file in
|
|
||||||
libraries/libapparmor/.
|
|
||||||
|
|
||||||
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
|
||||||
Acked-by: Steve Beattie <steve@nxnw.org>
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 3347
|
|
||||||
committer: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Mon 2016-09-12 23:35:00 +0200
|
|
||||||
message:
|
|
||||||
Allow 'kcm' in network rules
|
|
||||||
|
|
||||||
This is probably
|
|
||||||
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/networking/kcm.txt
|
|
||||||
|
|
||||||
|
|
||||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
=== modified file 'libraries/libapparmor/autogen.sh'
|
|
||||||
--- libraries/libapparmor/autogen.sh 2014-01-03 23:13:26 +0000
|
|
||||||
+++ libraries/libapparmor/autogen.sh 2016-09-14 17:50:43 +0000
|
|
||||||
@@ -38,6 +38,6 @@
|
|
||||||
echo "Running autoconf"
|
|
||||||
autoconf --force
|
|
||||||
echo "Running libtoolize"
|
|
||||||
-libtoolize --automake -c
|
|
||||||
+libtoolize --automake -c --force
|
|
||||||
echo "Running automake"
|
|
||||||
automake -ac
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
|
|
||||||
--- profiles/apparmor.d/sbin.syslog-ng 2015-11-11 15:44:47 +0000
|
|
||||||
+++ profiles/apparmor.d/sbin.syslog-ng 2016-10-13 18:29:59 +0000
|
|
||||||
@@ -48,6 +48,7 @@
|
|
||||||
/{usr/,}sbin/syslog-ng mr,
|
|
||||||
/sys/devices/system/cpu/online r,
|
|
||||||
/usr/share/syslog-ng/** r,
|
|
||||||
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
|
|
||||||
# chrooted applications
|
|
||||||
@{CHROOT_BASE}/var/lib/*/dev/log w,
|
|
||||||
@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
|
|
||||||
--- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:30 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-05 18:53:37 +0000
|
|
||||||
@@ -38,7 +38,7 @@
|
|
||||||
/var/tmp/smtp_* rw,
|
|
||||||
|
|
||||||
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
|
|
||||||
- /{var/,}run/dovecot/stats-user w,
|
|
||||||
+ /{var/,}run/dovecot/stats-user rw,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
#include <local/usr.lib.dovecot.auth>
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
|
|
||||||
--- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-05 18:53:37 +0000
|
|
||||||
@@ -23,6 +23,7 @@
|
|
||||||
/usr/bin/doveconf rix,
|
|
||||||
/usr/lib/dovecot/config mr,
|
|
||||||
/usr/lib/dovecot/managesieve Px,
|
|
||||||
+ /usr/share/dovecot/** r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
#include <local/usr.lib.dovecot.config>
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
|
|
||||||
--- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000
|
|
||||||
@@ -25,7 +25,14 @@
|
|
||||||
@{DOVECOT_MAILSTORE}/** rwkl,
|
|
||||||
|
|
||||||
@{HOME} r, # ???
|
|
||||||
- /usr/lib/dovecot/imap mr,
|
|
||||||
+
|
|
||||||
+ /etc/dovecot/dovecot.conf r,
|
|
||||||
+ /etc/dovecot/conf.d/ r,
|
|
||||||
+ /etc/dovecot/conf.d/** r,
|
|
||||||
+
|
|
||||||
+ /usr/bin/doveconf rix,
|
|
||||||
+ /usr/lib/dovecot/imap mrix,
|
|
||||||
+ /usr/share/dovecot/** r,
|
|
||||||
/{,var/}run/dovecot/auth-master rw,
|
|
||||||
/{,var/}run/dovecot/mounts r,
|
|
||||||
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
|
|
||||||
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2015-04-27 19:33:06 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2016-10-05 18:53:37 +0000
|
|
||||||
@@ -25,6 +25,8 @@
|
|
||||||
@{DOVECOT_MAILSTORE}/ rw,
|
|
||||||
@{DOVECOT_MAILSTORE}/** rwkl,
|
|
||||||
|
|
||||||
+ @{HOME}/.dovecot.svbin r,
|
|
||||||
+
|
|
||||||
/proc/*/mounts r,
|
|
||||||
/tmp/dovecot.lmtp.* rw,
|
|
||||||
/usr/lib/dovecot/lmtp mr,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
|
|
||||||
--- profiles/apparmor.d/usr.sbin.traceroute 2011-11-30 12:15:21 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:08:08 +0000
|
|
||||||
@@ -20,7 +20,8 @@
|
|
||||||
network inet raw,
|
|
||||||
network inet6 raw,
|
|
||||||
|
|
||||||
- /usr/sbin/traceroute rmix,
|
|
||||||
+ /usr/sbin/traceroute mrix,
|
|
||||||
+ /usr/bin/traceroute.db mrix,
|
|
||||||
@{PROC}/net/route r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/aa.py'
|
|
||||||
--- utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
|
|
||||||
+++ utils/apparmor/aa.py 2016-10-01 18:25:51 +0000
|
|
||||||
@@ -1168,6 +1168,9 @@
|
|
||||||
prelog[aamode][profile][hat]['path'][path] = mode
|
|
||||||
|
|
||||||
if do_execute:
|
|
||||||
+ if not aa[profile][hat]:
|
|
||||||
+ continue # ignore log entries for non-existing profiles
|
|
||||||
+
|
|
||||||
if profile_known_exec(aa[profile][hat], 'exec', exec_target):
|
|
||||||
continue
|
|
||||||
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/rule/network.py'
|
|
||||||
--- utils/apparmor/rule/network.py 2016-02-18 22:31:56 +0000
|
|
||||||
+++ utils/apparmor/rule/network.py 2016-09-12 21:35:00 +0000
|
|
||||||
@@ -27,7 +27,7 @@
|
|
||||||
network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
|
|
||||||
'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
|
|
||||||
'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
|
|
||||||
- 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
|
|
||||||
+ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
|
|
||||||
|
|
||||||
network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
|
|
||||||
network_protocol_keywords = ['tcp', 'udp', 'icmp']
|
|
||||||
|
|
||||||
=== modified file 'utils/apparmor/ui.py'
|
|
||||||
--- utils/apparmor/ui.py 2014-11-17 12:30:04 +0000
|
|
||||||
+++ utils/apparmor/ui.py 2016-10-03 19:02:15 +0000
|
|
||||||
@@ -249,7 +249,6 @@
|
|
||||||
'CMD_EXEC_IX_ON': _('(X) ix On'),
|
|
||||||
'CMD_EXEC_IX_OFF': _('(X) ix Off'),
|
|
||||||
'CMD_SAVE': _('(S)ave Changes'),
|
|
||||||
- 'CMD_CONTINUE': _('(C)ontinue Profiling'),
|
|
||||||
'CMD_NEW': _('(N)ew'),
|
|
||||||
'CMD_GLOB': _('(G)lob'),
|
|
||||||
'CMD_GLOBEXT': _('Glob with (E)xtension'),
|
|
||||||
@@ -278,7 +277,6 @@
|
|
||||||
'CMD_NET_FAMILY': _('Allow Network Fa(m)ily'),
|
|
||||||
'CMD_OVERWRITE': _('(O)verwrite Profile'),
|
|
||||||
'CMD_KEEP': _('(K)eep Profile'),
|
|
||||||
- 'CMD_CONTINUE': _('(C)ontinue'),
|
|
||||||
'CMD_IGNORE_ENTRY': _('(I)gnore')
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
Index: libraries/libapparmor/swig/python/Makefile.am
|
|
||||||
===================================================================
|
|
||||||
--- libraries/libapparmor/swig/python/Makefile.am.orig 2014-01-06 23:08:55.000000000 +0100
|
|
||||||
+++ libraries/libapparmor/swig/python/Makefile.am 2016-08-26 18:03:52.526582753 +0200
|
|
||||||
@@ -6,9 +6,8 @@ SUBDIRS = test
|
|
||||||
|
|
||||||
libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i
|
|
||||||
$(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i
|
|
||||||
- mv LibAppArmor.py __init__.py
|
|
||||||
|
|
||||||
-MOSTLYCLEANFILES=libapparmor_wrap.c __init__.py
|
|
||||||
+MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
|
|
||||||
|
|
||||||
all-local: libapparmor_wrap.c setup.py
|
|
||||||
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
|
|
||||||
Index: libraries/libapparmor/swig/python/__init__.py
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
||||||
+++ libraries/libapparmor/swig/python/__init__.py 2016-08-26 18:03:16.790763701 +0200
|
|
||||||
@@ -0,0 +1 @@
|
|
||||||
+from LibAppArmor.LibAppArmor import *
|
|
||||||
Index: libraries/libapparmor/swig/python/Makefile.in
|
|
||||||
===================================================================
|
|
||||||
--- libraries/libapparmor/swig/python/Makefile.in.orig 2016-04-20 11:09:04.000000000 +0200
|
|
||||||
+++ libraries/libapparmor/swig/python/Makefile.in 2016-08-26 18:04:51.770288833 +0200
|
|
||||||
@@ -326,7 +326,7 @@ top_builddir = @top_builddir@
|
|
||||||
top_srcdir = @top_srcdir@
|
|
||||||
@HAVE_PYTHON_TRUE@EXTRA_DIST = libapparmor_wrap.c
|
|
||||||
@HAVE_PYTHON_TRUE@SUBDIRS = test
|
|
||||||
-@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c __init__.py
|
|
||||||
+@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c LibAppArmor.py
|
|
||||||
all: all-recursive
|
|
||||||
|
|
||||||
.SUFFIXES:
|
|
||||||
@@ -648,7 +648,6 @@ uninstall-am:
|
|
||||||
|
|
||||||
@HAVE_PYTHON_TRUE@libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i
|
|
||||||
@HAVE_PYTHON_TRUE@ $(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i
|
|
||||||
-@HAVE_PYTHON_TRUE@ mv LibAppArmor.py __init__.py
|
|
||||||
|
|
||||||
@HAVE_PYTHON_TRUE@all-local: libapparmor_wrap.c setup.py
|
|
||||||
@HAVE_PYTHON_TRUE@ if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
|
|
@ -1,26 +0,0 @@
|
|||||||
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
|
|
||||||
--- profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:49 +0000
|
|
||||||
+++ profiles/apparmor.d/abstractions/nameservice 2016-10-22 19:55:04 +0000
|
|
||||||
@@ -46,7 +46,7 @@
|
|
||||||
# to vast speed increases when working with network-based lookups.
|
|
||||||
/{,var/}run/.nscd_socket rw,
|
|
||||||
/{,var/}run/nscd/socket rw,
|
|
||||||
- /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts} r,
|
|
||||||
+ /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
|
|
||||||
# nscd renames and unlinks files in it's operation that clients will
|
|
||||||
# have open
|
|
||||||
/{,var/}run/nscd/db* rmix,
|
|
||||||
|
|
||||||
=== modified file 'profiles/apparmor.d/usr.sbin.nscd'
|
|
||||||
--- profiles/apparmor.d/usr.sbin.nscd 2016-03-21 20:30:19 +0000
|
|
||||||
+++ profiles/apparmor.d/usr.sbin.nscd 2016-10-22 19:54:36 +0000
|
|
||||||
@@ -28,7 +28,7 @@
|
|
||||||
/{,var/}run/nscd/ rw,
|
|
||||||
/{,var/}run/nscd/db* rwl,
|
|
||||||
/{,var/}run/nscd/socket wl,
|
|
||||||
- /{var/cache,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
|
|
||||||
+ /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
|
|
||||||
/{,var/}run/{nscd/,}nscd.pid rwl,
|
|
||||||
/var/log/nscd.log rw,
|
|
||||||
@{PROC}/@{pid}/cmdline r,
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user