diff --git a/aa-remove-unknown-fix-unconfined.diff b/aa-remove-unknown-fix-unconfined.diff deleted file mode 100644 index c2970a2..0000000 --- a/aa-remove-unknown-fix-unconfined.diff +++ /dev/null @@ -1,26 +0,0 @@ -commit cabd88a94055d2a7b876758d36fe559a6b728f45 -Author: Christian Boltz -Date: Sat May 25 13:12:49 2024 +0200 - - Fix aa-remove-unknown for 'unconfined' profiles - - Without this patch, aa-remove-unknown uses 'profile_name (unconfined)' - when trying to unload unconfined profiles, which fails for obvious - reasons with (picking a random example) - - Removing 'busybox (unconfined)' - /sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory - -diff --git a/utils/aa-remove-unknown b/utils/aa-remove-unknown -index 0e00d6a03..983d23727 100755 ---- a/utils/aa-remove-unknown -+++ b/utils/aa-remove-unknown -@@ -89,7 +89,7 @@ LOADED_PROFILES=$("$PARSER" -N $PROFILE_DIRS) || { - echo "$LOADED_PROFILES" | awk ' - BEGIN { - while (getline < "'${PROFILES}'" ) { -- str = sub(/ \((enforce|complain)\)$/, "", $0); -+ str = sub(/ \((enforce|complain|unconfined)\)$/, "", $0); - if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0) - arr[$str] = $str - } diff --git a/apparmor-v4.0.1.tar.gz b/apparmor-v4.0.1.tar.gz deleted file mode 100644 index fa9018b..0000000 --- a/apparmor-v4.0.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b0d72cedc48e533d189ea415bde721ad597101c77fa398fdd2858ec4f58f7e26 -size 6984984 diff --git a/apparmor-v4.0.1.tar.gz.asc b/apparmor-v4.0.1.tar.gz.asc deleted file mode 100644 index 4b20033..0000000 --- a/apparmor-v4.0.1.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmYYxToaHGFwcGFybW9y -QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuLfBAA1lpdyEcNhLvw0Ff0rkt7 -Zoj/TgxYal/6FwuJ10eUnHrZhwGjhiX8zin2gbZaM7X8kscsSwelEqquSliu6lqp -O63B8cGa6/eu0CnJ2s5aLteeEDWqt1SjD9CBufGtTjNpCvSKR59Hl4quj2zwGF8P -+XHAxpnXOzdaxZtbi8h18ehtOxz23A2QJvKJYavIpTNwVPIvwnS2ryKrXnF8NjH+ -s89xMc2ZE1JT+bjWA+DwcvjXPGmMBacijbfuKLrV77dYoML2dmPNvDJyuJpnvKQU -5FhfUjUILHmRYZJF5eT9f2KVt6cYzVlIUP9yxjbkrGoaAHGYijcASNZSQeRWvGER -S9T6TW7QO2TzetBT68xstHZBmcSEyKF+uQ9hoJjGAJJo6L1R2SQK8ILg3voyoF48 -Hi+Ud5i9w7vF+UFVphVt+904nmruVzJ57oLlDts+q0jEODM6+YwQODgBR4JeXF6T -PJAXKpUBmYc12GzRSu6zlTDQIGJ0LewKtt/u1NLEDym3hWHs/2P2ISAO+/RLDv0U -klc3MndlgH1Ua9Gu6crLg9YrDxIguCooT1GQKnpOiic80n8VgMMViT3FsnMVGtmK -VQ9XVyotbZrni7ctWRywPpQIwZuKEs3J9A3wbCX/fwuKgTiB5XQvl7EHLypAbWUp -6X11aT86R3L9vOckHjywgLY= -=eji6 ------END PGP SIGNATURE----- - diff --git a/apparmor-v4.0.2.tar.gz b/apparmor-v4.0.2.tar.gz new file mode 100644 index 0000000..919333f --- /dev/null +++ b/apparmor-v4.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b847751b8c0e2344169ec2065cad6251063c5c5ff311953e194bbf25686d981 +size 6987316 diff --git a/apparmor-v4.0.2.tar.gz.asc b/apparmor-v4.0.2.tar.gz.asc new file mode 100644 index 0000000..f9f8b72 --- /dev/null +++ b/apparmor-v4.0.2.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmagRIsaHGFwcGFybW9y +QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLtWbg//brM4s3laj5L+MnsiOeHr +x3V9lC3hM2N1IEMBLuEZLZ6pZg0WKDAyJ93DdBmVrX/xXIw6vPUvWRCW8rGv9JJr +e5KvCI8282gRqvldowc+GX92KuXVTWBafccqlxvfnjLPIjas1/Ft4oubsv5PK97F +ix4wlW6A+/CXNQ3vP2Dbpb/gVsCOwmSLqJUQz3g40PXUdmB6qHaw3XsIBQWUTX91 +AIPQ6WA9OEp4kupqTgw0ih/8XsLVzb8xx8v5AzQILy1jEV4E7IIN01nN5dXrj+25 +s0kZO1iEctNVgsU3Db7BJMJvAolps1R+c5I6grcS01FaOAwx1TuSacZaDkn+rqpn +mX62UOly3OHAV7WW1X5U/Jt0rqwekH1su1TlI66bqu7OATlfdceLXe0S79U8txEd +1T4iZZEPjflk5YjqNYN/C4nDgbNQ9wTDmnY4Q2+ExJKzv/ddD1ulEMiZAE/skNj2 +ztdwB3RZ6aeck0iWuWq/EQsg4c68rnKxwmROzmMuAPtMF3SS1B3CKQDMVib/aJn7 +DY+K4aXBMXrt0RTVa1n86/hDorWaJcB3XoVXGTaEAQhxzArVCF7/p3uVpoK0AM/D +VYCta1j6cFupVQAHRR2m2+Y3fOFiFRWY9TPE62TTNKERjLQpA2MujevkQ7UOGnuC +Q6BkrVpPQyVuhIXsP0GkH/c= +=fBvk +-----END PGP SIGNATURE----- + diff --git a/apparmor.changes b/apparmor.changes index b1cfe06..ec07a36 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Wed Jul 24 16:54:18 UTC 2024 - Christian Boltz + +- update to AppArmor 4.0.2 + - bugfix release with lots of fixes in all areas + - add new userns profiles for balena-etcher, chromium and wike + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.2 + for the detailed upstream changelog +- drop upstream(ed) patches: + - aa-remove-unknown-fix-unconfined.diff + - logprof-mount-empty-source.diff + - plasmashell.diff + - sampa-rpcd-witness.diff + - sddm-xauth.diff + - teardown-unconfined.diff + - test-aa-notify.diff + - tools-fix-redefinition.diff + - utils-relax-mount-rules-2.diff + - utils-relax-mount-rules.diff +- refresh GPG key (was expired) + ------------------------------------------------------------------- Tue Jun 25 19:40:41 UTC 2024 - Christian Boltz diff --git a/apparmor.keyring b/apparmor.keyring index dd2dba6..7fa0c37 100644 --- a/apparmor.keyring +++ b/apparmor.keyring @@ -49,41 +49,65 @@ KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl 9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi -u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttG5Ag0E -VTAesAEQALOrZwOHmAYfjX0/AgaaTFitlbJWCWZc8j/ix/90CrKuv8VGRI1b5VnP -D/ItV8DjNb221hF4myYUqpelKgXxyLlF9l/V9tr3G/gjnHhYEY1xpRnN0qbu8xb+ -t4lEOw3Dt/rO8v1WVRS2UvyVKew5tsTIKsjygxTAnO7yiMUyJR9F+ZDQhCtgLyEW -CYySSewbqBBOspJffEOYU94Bo3XVMDX22Gb4atwRsq8MyJLlEYb3bgubP7rsL6GY -pzodG8M+Q2nqmsOaIyIuQK6fqpBALluN07fIqUS6HF41w0DEogSm/lLLL2ARddPw -N4tCa61IcdvVJhIwHqbNftv7fC2Rr4S4LBaTdWu62k4cPQcIkwy3Fsuu2XKry/7e -by/23J80FVp4XJHsgS31yIaIh7l43DxHcTcFEYQhbsAGznmucDjuaZU7qcEarxUy -uIsJ5VI7sj8P716dK9xOeDvw8r32IFbt7qBsa0ZRcum/H9u7rUelCucbgNZUnuOT -pbZttItyVPwPAkNCI36mhqY26hCOoBbGvGxg81Gxzr9GjQskxcCRzTFCpKG1eXal -0J0muiPyBereLcelB8NmuPM1tbTaAw0dIJHlCmYZLhSsvx7H7cNicZRmH9LExVVV -tFDh09s7nJNvAN1pCQB6cDoVqPiUztKO/hOiIbot3pzpQxTUHkJVABEBAAGJAiUE -GAEKAA8FAlUwHrACGwwFCQ8JnAAACgkQZonmTj02ZLst/A//Qz6ROHlu+LLiuvo6 -0JSd3+oKhv8MEuRsJsesRnP/7bJRBrUhL3cGMqtTa6YP8JwwRTQXrKW0evtC0W59 -YSRzPUe99Gu7YfUHeus3GvVxpvR6Tsr7jnqA3k6zb+M//UvgGwCMA+KLXC2Gkfn3 -Pybffcva4OeSR3xxRNohb5ME8bbA3YI4n4+DJ31IBqqlUWY7QKguFaLHIrjY4lNu -bXZLJ5SrZWVVf6/5LauqXrhFkkj0pyc3/fqRYCAx0O4KlrxcSEk/YPELxBwXJ24/ -v9l1glk1a6KfLpU/4cpuU/oiadzrGPMddJBq4OynmFS7HP5otoAlJLXIEDbeV92F -/5h+7iu4wYUgJ0dcCRFcG3YkUhWyS3dwv+0Gs0SQOLQkboXNgBL2AskjK+UmUSWB -dcXQ5mXrSSOHbnjFEMQflDz+ykEN3PDQWQdLeE9aMzewNJJm5f1gBkPPDTBAYzqy -XjL4FfwjYl6uEX1IhLrTo0BpP7TqQ4fnBrhLnW7pc35R1ehdrpdKj9+qFUe3/ky7 -UD3SAyQDrmOLRf5e79iijdSLVPHnzi2q0ckWcNBrjAluaMHu7OpumSTvEoUgjW+A -trJLwyQW+D6WeaO+Cv+97SGgdmdUJLOZ32RmAaQpB9NoYUhlFzbgPji1wgvUrbQH -5yyRGqGl57sQZptruxrN2lWTcDSJAjwEGAEKACYCGwwWIQQ+zcul+zTSVJYcxT9m -ieZOPTZkuwUCZFENowUJEQIicwAKCRBmieZOPTZku47eEAC2yveESIGTnAcyJW04 -6igIK4NRwdfF89TDO5rJa8ZrKhbPw2Qk6CNf575cLj4/CMo6oJV3zv4a4CXztZ2B -8ObJ83pWX8AErQxA4dZdd2J+wl+5bPfeXI1Rm7FmOm32IrJfBI5hRSCq8/GBagaF -xnX5BTmnnWiDRKviodZ3kb9JVl4r1Nj4ELfC2eWpkp9KsAtrP48vK7DD7wP2uc/Z -ngCVzzSiWRLFOsUyVssYjgKZlFGYZ0w0kcTJoeoCTXU1/YvudFjeYb9vHBCJIoDU -NZi4Szxww6bnhgeCldP7Hr9rqwuPk8ReVcvbQOThORubY79oGdCp+ZmmoMFqAlDL -PektIdi0ZoP1a/u/d7qWTutLfkSHL2xwITtjVQtYY3wsuf9FVua8sksohSXuYW+d -DvP76y5EHZjituhykWm1SB74vy7XwxTJqhwTUgjdjc6Mwm4wu2eGCarfSTPrEin3 -X6oFB7TUFddDc8gADKmPsy+Q2ts7RAZzl1dPQEmHBhwbH9ifXtahQjlg7XKYN7A6 -ByfDxcono0VHBte5gTHIoi9k7CwEIHqjlHphpCORnzFemu52kdSN49gwrqK5hGTr -uv0BfG/LcYu2px9O2b65QTcR4nF1Zr07XfzL3pMUHsDquYBS67L2FnyXwOEfxRnX -EC34BZpyVkv7QfB5AuuQGbIeFQ== -=QOb0 +u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttGJAlQE +EwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQQ+zcul+zTSVJYcxT9m +ieZOPTZkuwUCZqBB6wUJFxO9uwAKCRBmieZOPTZku9aiEACv1PUxGDIQGJsbLhQE +rDVW7zKReA7tuRB8x2b3oqZmDom0Myf4ARrh7ELDemLU1FwlWxV6UAl0fDiKY7X1 +gAyFuWZzjqj7R79OruE2UoQHgkrmi+EqUhBTDL3Nmx3aStPSZ+Oo8vgbPcEks+Do +9TJUOTLHV5VM7RnHUNtQgIk/MoxsRngCldk8tKua8GYT29JBrtNxuSshbzzfv9c7 +J22PO0D8HTSNJuuWNVZSAwo0GdcyRSagi4xx++55deGwaKIf7Q4tU0SWXiAdVqdr +V+6QfEE1NSqvE6ELLDnVIErez7zHYi4cqmlwnD0CXtIxBV6xugbpKYTKU7CjwYAd +kVreSixvp1mHM+6BP1UBBF1UUzRTpm5gKkhFF/sztJuZdbYrQF7k4eOR5cvsA61i +DVdI78Xx4WDb4XBQy1KilKeQPjjGuDOWt96wBVQ147jiZ7LeOipgZhtKMda7JA/M +1epZo4OYi/272esCrlAiniEyTRwiwzJ0IyVHtUDgpZaYwmBEqsLWysMTqEPqhl28 +XS9JiEBuL2FM9SZCoebncCE0eXduB6jdqxYTLjmSi4d1UgPrkRPoQpqbjKzUWd6H +wkSAaYc4eoavOU5vzY0Pc0J8iuVkeSkLkCv1Ryt9Lw3boeljopzb0ETCtoPwx7TS +4kxiFLSwRVUMp08RVfFRZ1RUTbkCDQRVMB6wARAAs6tnA4eYBh+NfT8CBppMWK2V +slYJZlzyP+LH/3QKsq6/xUZEjVvlWc8P8i1XwOM1vbbWEXibJhSql6UqBfHIuUX2 +X9X22vcb+COceFgRjXGlGc3Spu7zFv63iUQ7DcO3+s7y/VZVFLZS/JUp7Dm2xMgq +yPKDFMCc7vKIxTIlH0X5kNCEK2AvIRYJjJJJ7BuoEE6ykl98Q5hT3gGjddUwNfbY +Zvhq3BGyrwzIkuURhvduC5s/uuwvoZinOh0bwz5Daeqaw5ojIi5Arp+qkEAuW43T +t8ipRLocXjXDQMSiBKb+UssvYBF10/A3i0JrrUhx29UmEjAeps1+2/t8LZGvhLgs +FpN1a7raThw9BwiTDLcWy67ZcqvL/t5vL/bcnzQVWnhckeyBLfXIhoiHuXjcPEdx +NwURhCFuwAbOea5wOO5plTupwRqvFTK4iwnlUjuyPw/vXp0r3E54O/DyvfYgVu3u +oGxrRlFy6b8f27utR6UK5xuA1lSe45Oltm20i3JU/A8CQ0IjfqaGpjbqEI6gFsa8 +bGDzUbHOv0aNCyTFwJHNMUKkobV5dqXQnSa6I/IF6t4tx6UHw2a48zW1tNoDDR0g +keUKZhkuFKy/Hsftw2JxlGYf0sTFVVW0UOHT2zuck28A3WkJAHpwOhWo+JTO0o7+ +E6Ihui3enOlDFNQeQlUAEQEAAYkCJQQYAQoADwUCVTAesAIbDAUJDwmcAAAKCRBm +ieZOPTZkuy38D/9DPpE4eW74suK6+jrQlJ3f6gqG/wwS5Gwmx6xGc//tslEGtSEv +dwYyq1Nrpg/wnDBFNBespbR6+0LRbn1hJHM9R730a7th9Qd66zca9XGm9HpOyvuO +eoDeTrNv4z/9S+AbAIwD4otcLYaR+fc/Jt99y9rg55JHfHFE2iFvkwTxtsDdgjif +j4MnfUgGqqVRZjtAqC4VosciuNjiU25tdksnlKtlZVV/r/ktq6peuEWSSPSnJzf9 ++pFgIDHQ7gqWvFxIST9g8QvEHBcnbj+/2XWCWTVrop8ulT/hym5T+iJp3OsY8x10 +kGrg7KeYVLsc/mi2gCUktcgQNt5X3YX/mH7uK7jBhSAnR1wJEVwbdiRSFbJLd3C/ +7QazRJA4tCRuhc2AEvYCySMr5SZRJYF1xdDmZetJI4dueMUQxB+UPP7KQQ3c8NBZ +B0t4T1ozN7A0kmbl/WAGQ88NMEBjOrJeMvgV/CNiXq4RfUiEutOjQGk/tOpDh+cG +uEudbulzflHV6F2ul0qP36oVR7f+TLtQPdIDJAOuY4tF/l7v2KKN1ItU8efOLarR +yRZw0GuMCW5owe7s6m6ZJO8ShSCNb4C2skvDJBb4PpZ5o74K/73tIaB2Z1Qks5nf +ZGYBpCkH02hhSGUXNuA+OLXCC9SttAfnLJEaoaXnuxBmm2u7Gs3aVZNwNIkCPAQY +AQoAJgIbDBYhBD7Ny6X7NNJUlhzFP2aJ5k49NmS7BQJkUQ2jBQkRAiJzAAoJEGaJ +5k49NmS7jt4QALbK94RIgZOcBzIlbTjqKAgrg1HB18Xz1MM7mslrxmsqFs/DZCTo +I1/nvlwuPj8IyjqglXfO/hrgJfO1nYHw5snzelZfwAStDEDh1l13Yn7CX7ls995c +jVGbsWY6bfYisl8EjmFFIKrz8YFqBoXGdfkFOaedaINEq+Kh1neRv0lWXivU2PgQ +t8LZ5amSn0qwC2s/jy8rsMPvA/a5z9meAJXPNKJZEsU6xTJWyxiOApmUUZhnTDSR +xMmh6gJNdTX9i+50WN5hv28cEIkigNQ1mLhLPHDDpueGB4KV0/sev2urC4+TxF5V +y9tA5OE5G5tjv2gZ0Kn5maagwWoCUMs96S0h2LRmg/Vr+793upZO60t+RIcvbHAh +O2NVC1hjfCy5/0VW5ryySyiFJe5hb50O8/vrLkQdmOK26HKRabVIHvi/LtfDFMmq +HBNSCN2NzozCbjC7Z4YJqt9JM+sSKfdfqgUHtNQV10NzyAAMqY+zL5Da2ztEBnOX +V09ASYcGHBsf2J9e1qFCOWDtcpg3sDoHJ8PFyiejRUcG17mBMciiL2TsLAQgeqOU +emGkI5GfMV6a7naR1I3j2DCuormEZOu6/QF8b8txi7anH07ZvrlBNxHicXVmvTtd +/MvekxQewOq5gFLrsvYWfJfA4R/FGdcQLfgFmnJWS/tB8HkC65AZsh4ViQI8BBgB +CgAmAhsMFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmagQiYFCRcTvfYACgkQZonm +Tj02ZLt61A//dhIMU1VyuoaIpWbYtKoM4j1iJGl76EynpemY9bvHrU/DkJYCOxwO +XRu2OlRwp5Kf5RNSS4g7Aloqhdk9MTPWgxxvXRYRF0gbTnYSjN4pi1abi3PqrMsB +B/2xHEbmZpDfUu2nvyzkULhmmxYktHCEqUA9Eh3OkWztWq4eH7TwHIxEcE+TnGwo +vP0pxyPhYZP2fA6prVnSwfd5HB9CuJc9bVPPbnvv1FUbxFbbxA3ysU92Y2YqxQxF +2u4+f3D1bKMEOTfNY04AflpEHdeO8wG/em/SgHUsv2V++4kOfa/xW2siM5CW7h2Y +WRbgmg9E7CrR80sCw0/J8O+hCdRKHGZmXT3G0tyvPJOMY0M5eCctzz2RlxPp3W4D +U3GgOjF0s52kE5O2Kv9J3Xse8erYm18DzNfb/H3ALwWBL3lCep8cjk+C8OkTp+ZZ +pxN6UnDHDXRuuFBvD9dZW5/JqHer50BOiFiOlC1W2KbkPGk/s3AU2YLXy7SS29ZD +rrgLpsMKYkOuu1eQQVvLwH8WnwwxFwsKXUmTpl97ScqkqGl7gRIZtQpV8hgG6Y1t +L7323BytkbKejrcBmMEYXSbNhjff8hLfPuBVOrOZ+OrOd3uLPgzZN+9o9R2rn4eW +Xt3r7xAbhQFB0YU+8kIO5M2cSv3QGfu8uzudVmaQedz7lc3wjSrRw9k= +=z6xV -----END PGP PUBLIC KEY BLOCK----- diff --git a/apparmor.spec b/apparmor.spec index a453ca6..339c5f3 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -51,11 +51,11 @@ %define CATALINA_HOME /usr/share/tomcat6 %define JAR_FILE changeHatValve.jar -%define tarversion v4.0.1 -%define pyeggversion 4.0.1 +%define tarversion v4.0.2 +%define pyeggversion 4.0.2 Name: apparmor -Version: 4.0.1 +Version: 4.0.2 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -82,34 +82,6 @@ Patch6: apache-extra-profile-include-if-exists.diff # add path for precompiled cache (only done/applied if precompiled_cache is enabled) Patch7: apparmor-enable-precompiled-cache.diff -# fix redefinition of _ in tools (merged upstream 2024-04-22 https://gitlab.com/apparmor/apparmor/-/merge_requests/1218) -Patch10: tools-fix-redefinition.diff - -# make test-aa-notify a bit more relaxed to allow different argparse wording on Leap 15.5 (merged upstream 2024-05-06 (4.0 and master) https://gitlab.com/apparmor/apparmor/-/merge_requests/1226) -Patch11: test-aa-notify.diff - -# Fix aa-remove-unknown for 'unconfined' profiles (merged upstream 2024-05-28 in 4.0 and master https://gitlab.com/apparmor/apparmor/-/merge_requests/1240) -Patch12: aa-remove-unknown-fix-unconfined.diff - -# Fix aa-teardown for 'unconfined' profiles (submitted upstream 2024-05-28 https://gitlab.com/apparmor/apparmor/-/merge_requests/1242) -Patch13: teardown-unconfined.diff - -# Relax handling of mount rules in utils to avoid errors when parsing valid profiles (both patches taken from upstream 4.0 branch 2024-05-28) -Patch14: utils-relax-mount-rules.diff -Patch15: utils-relax-mount-rules-2.diff - -# Fix QtWebEngineProcess path in plasmashell profile (merged upstream 2024-06-04 in 4.0 and master - https://gitlab.com/apparmor/apparmor/-/merge_requests/1248) -Patch16: plasmashell.diff - -# latest sddm uses yet another path for xauth (submitted upstream 2024-06-04 https://gitlab.com/apparmor/apparmor/-/merge_requests/1249) -Patch17: sddm-xauth.diff - -# utils MountRule: add support for quoted paths and empty source (master merged upstream 2024-06-11, 4.0 branch submitted upstream 2024-06-11 https://gitlab.com/apparmor/apparmor/-/merge_requests/1259) -Patch18: logprof-mount-empty-source.diff - -# samba-dcerpcd: allow to execute rpcd_witness (submitted upstream 2024-06-08 https://gitlab.com/apparmor/apparmor/-/merge_requests/1256, packaged patch adjusted to match the packaged samba-rpcd profile) -Patch19: sampa-rpcd-witness.diff - PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf @@ -377,16 +349,6 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %if %{with precompiled_cache} %patch -P 7 %endif -%patch -P 10 -p1 -%patch -P 11 -p1 -%patch -P 12 -p1 -%patch -P 13 -p1 -%patch -P 14 -p1 -%patch -P 15 -p1 -%patch -P 16 -p1 -%patch -P 17 -p1 -%patch -P 18 -p1 -%patch -P 19 -p1 %build export SUSE_ASNEEDED=0 @@ -636,6 +598,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la %config(noreplace) %{_sysconfdir}/apparmor.d/Discord %config(noreplace) %{_sysconfdir}/apparmor.d/MongoDB_Compass %config(noreplace) %{_sysconfdir}/apparmor.d/QtWebEngineProcess +%config(noreplace) %{_sysconfdir}/apparmor.d/balena-etcher %config(noreplace) %{_sysconfdir}/apparmor.d/brave %config(noreplace) %{_sysconfdir}/apparmor.d/buildah %config(noreplace) %{_sysconfdir}/apparmor.d/busybox @@ -643,6 +606,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la %config(noreplace) %{_sysconfdir}/apparmor.d/ch-checkns %config(noreplace) %{_sysconfdir}/apparmor.d/ch-run %config(noreplace) %{_sysconfdir}/apparmor.d/chrome +%config(noreplace) %{_sysconfdir}/apparmor.d/chromium %config(noreplace) %{_sysconfdir}/apparmor.d/code # exclude crun, podman and runc profiles until the updated container engines (including updated profile with "signal peer=runc") has arrived #config(noreplace) %{_sysconfdir}/apparmor.d/crun @@ -734,6 +698,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la %config(noreplace) %{_sysconfdir}/apparmor.d/virtiofsd %config(noreplace) %{_sysconfdir}/apparmor.d/vivaldi-bin %config(noreplace) %{_sysconfdir}/apparmor.d/vpnns +%config(noreplace) %{_sysconfdir}/apparmor.d/wike %config(noreplace) %{_sysconfdir}/apparmor.d/wpcom %config(noreplace) %{_sysconfdir}/apparmor.d/zgrep diff --git a/libapparmor.spec b/libapparmor.spec index e507cec..30d6adb 100644 --- a/libapparmor.spec +++ b/libapparmor.spec @@ -17,10 +17,10 @@ # -%define tarversion v4.0.1 +%define tarversion v4.0.2 Name: libapparmor -Version: 4.0.1 +Version: 4.0.2 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later diff --git a/logprof-mount-empty-source.diff b/logprof-mount-empty-source.diff deleted file mode 100644 index 9dc6a9b..0000000 --- a/logprof-mount-empty-source.diff +++ /dev/null @@ -1,166 +0,0 @@ -From aada708bc1c1787d190529aeafce66e3ce52fb7e Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Sun, 9 Jun 2024 21:51:01 +0200 -Subject: [PATCH 1/2] MountRule: add support for quoted paths - -While on it, make the output for failing tests more verbose for easier -debugging. - -(cherry picked from commit 900f233101553182cffb29aab53e014d25138489, -test-mount.py adjusted for 4.0 branch) ---- - utils/apparmor/rule/mount.py | 6 +++--- - utils/test/test-mount.py | 4 +++- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py -index b2d73a27b..992c29142 100644 ---- a/utils/apparmor/rule/mount.py -+++ b/utils/apparmor/rule/mount.py -@@ -15,7 +15,7 @@ import re - - from apparmor.common import AppArmorBug, AppArmorException - --from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis -+from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis, strip_quotes - from apparmor.rule import AARE - from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, logprof_value_or_all, check_and_split_list - -@@ -171,12 +171,12 @@ class MountRule(BaseRule): - options = cls.ALL - - if operation == 'mount' and r['source_file'] is not None: # Umount cannot have a source -- source = r['source_file'] -+ source = strip_quotes(r['source_file']) - else: - source = cls.ALL - - if r['dest_file'] is not None: -- dest = r['dest_file'] -+ dest = strip_quotes(r['dest_file']) - else: - dest = cls.ALL - -diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py -index cb1a89630..6dfe1ac85 100644 ---- a/utils/test/test-mount.py -+++ b/utils/test/test-mount.py -@@ -42,7 +42,9 @@ class MountTestParse(AATest): - ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )), - ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )), -+ ('mount "/a space",', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a space', MountRule.ALL, False, False, False, '')), - ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )), -+ ('mount fstype=(ext3, ext4) /a -> "/bar space",', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/bar space', False, False, False, '')), - ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), - ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), - ('mount fstype=({ext3,ext4}) options in (ro, sync) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), -@@ -66,7 +68,7 @@ class MountTestParse(AATest): - self.assertTrue(MountRule.match(rawrule)) - obj = MountRule.create_instance(rawrule) - expected.raw_rule = rawrule.strip() -- self.assertTrue(obj.is_equal(expected, True)) -+ self.assertTrue(obj.is_equal(expected, True), f'\n {rawrule} expected,\n {obj.get_clean()} returned by obj.get_clean()\n {expected.get_clean()} returned by expected.get_clean()') - - def test_valid_mount_changing_propagation(self): - # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both. --- -GitLab - - -From 98a0a2fee92b86155de258711c554f068ead8f6c Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Sun, 9 Jun 2024 23:03:13 +0200 -Subject: [PATCH 2/2] MountRule: Add support for empty ("") source - -This needs adding of an empty_ok flag in _aare_or_all(). - -Also add a few tests from boo#1226031 to utils and parser tests. - -Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1226031 - -(cherry picked from commit 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb, -test-mount.py changes adjusted for 4.0 branch) ---- - parser/tst/simple_tests/mount/ok_quoted_1.sd | 9 +++++++++ - utils/apparmor/rule/__init__.py | 4 ++-- - utils/apparmor/rule/mount.py | 4 ++-- - utils/test/test-mount.py | 2 ++ - 4 files changed, 15 insertions(+), 4 deletions(-) - create mode 100644 parser/tst/simple_tests/mount/ok_quoted_1.sd - -diff --git a/parser/tst/simple_tests/mount/ok_quoted_1.sd b/parser/tst/simple_tests/mount/ok_quoted_1.sd -new file mode 100644 -index 000000000..c819caea3 ---- /dev/null -+++ b/parser/tst/simple_tests/mount/ok_quoted_1.sd -@@ -0,0 +1,9 @@ -+# -+#=Description basic mount rules with quoted paths -+#=EXRESULT PASS -+# -+/usr/bin/foo { -+ mount "" -> "/", -+ mount "" -> "/tmp/", -+ umount "/", -+} -diff --git a/utils/apparmor/rule/__init__.py b/utils/apparmor/rule/__init__.py -index ede7909ca..11e2f1f17 100644 ---- a/utils/apparmor/rule/__init__.py -+++ b/utils/apparmor/rule/__init__.py -@@ -51,7 +51,7 @@ class BaseRule(metaclass=ABCMeta): - # Set only in the parse() class method - self.raw_rule = None - -- def _aare_or_all(self, rulepart, partname, is_path, log_event): -+ def _aare_or_all(self, rulepart, partname, is_path, log_event, empty_ok=False): - """checks rulepart and returns - - (AARE, False) if rulepart is a (non-empty) string - - (None, True) if rulepart is all_obj (typically *Rule.ALL) -@@ -67,7 +67,7 @@ class BaseRule(metaclass=ABCMeta): - if rulepart == self.ALL: - return None, True - elif isinstance(rulepart, str): -- if not rulepart.strip(): -+ if not rulepart.strip() and not empty_ok: - raise AppArmorBug( - 'Passed empty %(partname)s to %(classname)s: %(rulepart)s' - % {'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart)}) -diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py -index 992c29142..d20522971 100644 ---- a/utils/apparmor/rule/mount.py -+++ b/utils/apparmor/rule/mount.py -@@ -66,7 +66,7 @@ mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?' - # - A path : /foo - # - A globbed Path : ** - --glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*")|\w+))' -+glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*"|"")|\w+))' - source_fileglob_pattern = glob_pattern % 'source_file' - dest_fileglob_pattern = glob_pattern % 'dest_file' - -@@ -114,7 +114,7 @@ class MountRule(BaseRule): - raise AppArmorException(_('Passed unknown options keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items))) - self.is_options_equal = options[0] if not self.all_options else None - -- self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event) -+ self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event, empty_ok=True) - self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) - - if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'): -diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py -index 6dfe1ac85..7af46a5d8 100644 ---- a/utils/test/test-mount.py -+++ b/utils/test/test-mount.py -@@ -55,6 +55,8 @@ class MountTestParse(AATest): - MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', - '/tmp/snap.rootfs_*{,/usr}/lib/modules/', - False, False, False, '' )), -+ ('mount options=(runbindable, rw) -> /,', MountRule('mount', MountRule.ALL, ('=', ['runbindable', 'rw']), MountRule.ALL, '/', False, False, False, '')), -+ ('mount "" -> /,', MountRule('mount', MountRule.ALL, MountRule.ALL, '', '/', False, False, False, '')), - ('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )), --- -GitLab - diff --git a/plasmashell.diff b/plasmashell.diff deleted file mode 100644 index bf6d1de..0000000 --- a/plasmashell.diff +++ /dev/null @@ -1,31 +0,0 @@ -commit 64469afa2c65eb8a90a19d2b658a9559fb3964b0 -Author: Christian Boltz -Date: Tue Jun 4 21:14:50 2024 +0200 - - Add openSUSE path to plasmashell profile - - While on it, - - add some comments explaining what the profile does - - adjust the rule with the Debian/Ubuntu path to work with Qt6 - - Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961 - -diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell -index d743ff7a3..51c50a689 100644 ---- a/profiles/apparmor.d/plasmashell -+++ b/profiles/apparmor.d/plasmashell -@@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell { - unix, - ptrace, - -- /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, -+ # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues) -+ /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, -+ /usr/libexec/qt[56]/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, -+ -+ # allow to execute all other programs under their own profile, or to run unconfined - /** pux, -+ - /{,**} mrwlk, - - profile QtWebEngineProcess { diff --git a/sampa-rpcd-witness.diff b/sampa-rpcd-witness.diff deleted file mode 100644 index 2f9aa4a..0000000 --- a/sampa-rpcd-witness.diff +++ /dev/null @@ -1,48 +0,0 @@ -From https://gitlab.com/apparmor/apparmor/-/merge_requests/1256 -(adjusted to currently packaged samba-rpcd profile) - - -From 94ccd111deac35d7deadb07e66d25e045633e221 Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Sat, 8 Jun 2024 22:46:53 +0200 -Subject: [PATCH] samba-dcerpcd: allow to execute rpcd_witness - -... and extend the samba-rpcd profile to also include rpcd_witness. - -Patch by Noel Power - -Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225811 ---- - profiles/apparmor.d/samba-dcerpcd | 2 +- - profiles/apparmor.d/samba-rpcd | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -Index: apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd -=================================================================== ---- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-dcerpcd 2024-04-12 05:59:30.000000000 +0200 -+++ apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd 2024-06-25 21:49:49.017901846 +0200 -@@ -21,7 +21,7 @@ profile samba-dcerpcd /usr/lib*/samba/{, - /usr/lib*/samba/{,samba/}samba-dcerpcd mr, - - /usr/lib*/samba/ r, -- /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd, -+ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd, - /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic, - /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss, - -Index: apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd -=================================================================== ---- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-rpcd 2024-04-12 05:59:30.000000000 +0200 -+++ apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd 2024-06-25 21:49:49.017901846 +0200 -@@ -13,9 +13,9 @@ abi , - - include - --profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} { -+profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} { - include -- /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr, -+ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr, - - @{run}/samba/ncalrpc/np/winreg wr, - diff --git a/sddm-xauth.diff b/sddm-xauth.diff deleted file mode 100644 index 701adc5..0000000 --- a/sddm-xauth.diff +++ /dev/null @@ -1,22 +0,0 @@ -commit 0c6e031c02fb18affd3bb7f15e269d9dd5c3317a -Author: Christian Boltz -Date: Tue Jun 4 21:45:06 2024 +0200 - - abstractions/X: add another xauth path - - This time it's /tmp/xauth_?????? r, which gets used by latest sddm. - - Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900 - -diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X -index 6f0272d64..6df891185 100644 ---- a/profiles/apparmor.d/abstractions/X -+++ b/profiles/apparmor.d/abstractions/X -@@ -28,6 +28,7 @@ - owner @{run}/user/*/gdm/Xauthority r, - owner @{run}/user/*/X11/Xauthority r, - owner @{run}/user/*/xauth_* r, -+ owner /tmp/xauth_?????? r, - - # the unix socket to use to connect to the display - /tmp/.X11-unix/* rw, diff --git a/teardown-unconfined.diff b/teardown-unconfined.diff deleted file mode 100644 index 5708bd9..0000000 --- a/teardown-unconfined.diff +++ /dev/null @@ -1,21 +0,0 @@ -commit f497afbe1364b45540a6582870e5a76f1ada7a2b -Author: Christian Boltz -Date: Tue May 28 21:13:47 2024 +0200 - - Fix aa-teardown for `unconfined` profiles - - Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225457 - -diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions -index f66fea422..099ab67d3 100644 ---- a/parser/rc.apparmor.functions -+++ b/parser/rc.apparmor.functions -@@ -253,7 +253,7 @@ remove_profiles() { - retval=0 - # We filter child profiles as removing the parent will remove - # the children -- sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \ -+ sed -e "s/ (\(enforce\|complain\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \ - LC_COLLATE=C sort | grep -v // | { - while read -r profile ; do - printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove" diff --git a/test-aa-notify.diff b/test-aa-notify.diff deleted file mode 100644 index 3ed0c0c..0000000 --- a/test-aa-notify.diff +++ /dev/null @@ -1,30 +0,0 @@ -https://gitlab.com/apparmor/apparmor/-/merge_requests/1226 - -From 715cb711ba26d3ccff490f35f80721cf3678abb6 Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Sun, 5 May 2024 22:05:43 +0200 -Subject: [PATCH] Don't rely on argparse saying "options:" - -Some argparse versions (for example on openSUSE Leap 15.5) instead say -"optional arguments:" - -Don't rely on the "options:" line to allow both wordings. ---- - utils/test/test-aa-notify.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py -index 4f3e540e9..abffd0631 100644 ---- a/utils/test/test-aa-notify.py -+++ b/utils/test/test-aa-notify.py -@@ -194,7 +194,6 @@ Display AppArmor notifications or messages for DENIED entries. - - expected_output_2 = \ - ''' --options: - -h, --help show this help message and exit - -p, --poll poll AppArmor logs and display notifications - --display DISPLAY set the DISPLAY environment variable (might be needed if --- -GitLab - diff --git a/tools-fix-redefinition.diff b/tools-fix-redefinition.diff deleted file mode 100644 index 365686d..0000000 --- a/tools-fix-redefinition.diff +++ /dev/null @@ -1,39 +0,0 @@ -From 553acd22324ed013d9f468aa8585518cf68b34f7 Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Sun, 21 Apr 2024 17:32:24 +0200 -Subject: [PATCH] Fix redefinition of _ - -... which unsurprisingly broke using the translations. - -This was a regression introduced in 4f51c93f9dc2516a32bfccc79b4dcf4985e61f47 - -Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387 ---- - utils/apparmor/tools.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py -index e8a99bbe6..f7d4a0d36 100644 ---- a/utils/apparmor/tools.py -+++ b/utils/apparmor/tools.py -@@ -90,7 +90,7 @@ class aa_tools: - def get_next_for_modechange(self): - """common code for mode/flags changes""" - -- for (program, _, prof_filename) in self.get_next_to_profile(): -+ for (program, ignored, prof_filename) in self.get_next_to_profile(): - output_name = prof_filename if program is None else program - - if not os.path.isfile(prof_filename) or is_skippable_file(prof_filename): -@@ -162,7 +162,7 @@ class aa_tools: - def cmd_autodep(self): - apparmor.loadincludes() - -- for (program, _, prof_filename) in self.get_next_to_profile(): -+ for (program, ignored, prof_filename) in self.get_next_to_profile(): - if not program: - aaui.UI_Info(_('Please pass an application to generate a profile for, not a profile itself - skipping %s.') % prof_filename) - continue --- -GitLab - diff --git a/utils-relax-mount-rules-2.diff b/utils-relax-mount-rules-2.diff deleted file mode 100644 index 94b34c9..0000000 --- a/utils-relax-mount-rules-2.diff +++ /dev/null @@ -1,182 +0,0 @@ -commit 1f4bba0448563b7d1fe4d86c230556ebf8d3805b -Author: Maxime Bélair -Date: Mon May 20 11:09:04 2024 +0200 - - Cherry-pick: MountRule: Aligning behavior with apparmor_parser - - Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source. - - Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid. - - For the same reason, specifying a fstype in these cases is also prohibited. - - Similarly, we prohibit to specify a fstype for bind mount rules. - - Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685 - - (cherry picked from commit 60acc4a4053ddb3718b9a2f5ceb1ef02fea3a226) - - Signed-off-by: Maxime Bélair - -diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py -index abfa2b75e..b2d73a27b 100644 ---- a/utils/apparmor/rule/mount.py -+++ b/utils/apparmor/rule/mount.py -@@ -25,15 +25,18 @@ _ = init_translation() - - # TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules. - --flags_keywords = [ -- # keep in sync with parser/mount.cc mnt_opts_table! -- 'ro', 'r', 'read-only', 'rw', 'w', 'suid', 'nosuid', 'dev', 'nodev', 'exec', 'noexec', 'sync', 'async', 'remount', -- 'mand', 'nomand', 'dirsync', 'symfollow', 'nosymfollow', 'atime', 'noatime', 'diratime', 'nodiratime', 'bind', 'B', -- 'move', 'M', 'rbind', 'R', 'verbose', 'silent', 'loud', 'acl', 'noacl', 'unbindable', 'make-unbindable', 'runbindable', -- 'make-runbindable', 'private', 'make-private', 'rprivate', 'make-rprivate', 'slave', 'make-slave', 'rslave', 'make-rslave', -- 'shared', 'make-shared', 'rshared', 'make-rshared', 'relatime', 'norelatime', 'iversion', 'noiversion', 'strictatime', -- 'nostrictatime', 'lazytime', 'nolazytime', 'user', 'nouser', -- '([A-Za-z0-9])', -+flags_bind_mount = {'B', 'bind', 'R', 'rbind'} -+flags_change_propagation = { -+ 'remount', 'unbindable', 'shared', 'private', 'slave', 'runbindable', 'rshared', 'rprivate', 'rslave', -+ 'make-unbindable', 'make-shared', 'make-private', 'make-slave', 'make-runbindable', 'make-rshared', 'make-rprivate', -+ 'make-rslave' -+} -+# keep in sync with parser/mount.cc mnt_opts_table! -+flags_keywords = list(flags_bind_mount) + list(flags_change_propagation) + [ -+ 'ro', 'r', 'read-only', 'rw', 'w', 'suid', 'nosuid', 'dev', 'nodev', 'exec', 'noexec', 'sync', 'async', 'mand', -+ 'nomand', 'dirsync', 'symfollow', 'nosymfollow', 'atime', 'noatime', 'diratime', 'nodiratime', 'move', 'M', -+ 'verbose', 'silent', 'loud', 'acl', 'noacl', 'relatime', 'norelatime', 'iversion', 'noiversion', 'strictatime', -+ 'nostrictatime', 'lazytime', 'nolazytime', 'user', 'nouser', '([A-Za-z0-9])', - ] - join_valid_flags = '|'.join(flags_keywords) - -@@ -112,6 +115,7 @@ class MountRule(BaseRule): - self.is_options_equal = options[0] if not self.all_options else None - - self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event) -+ self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) - - if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'): - raise AppArmorBug(f'Invalid is_fstype_equal : {self.is_fstype_equal}') -@@ -120,11 +124,14 @@ class MountRule(BaseRule): - if self.operation != 'mount' and not self.all_source: - raise AppArmorException(f'Operation {self.operation} cannot have a source') - -- flags_forbidden_with_source = {'remount', 'unbindable', 'shared', 'private', 'slave', 'runbindable', 'rshared', 'rprivate', 'rslave'} -- if self.operation == 'mount' and not self.all_source and not self.all_options and flags_forbidden_with_source & self.options != set(): -- raise AppArmorException(f'Operation {flags_forbidden_with_source & self.options} cannot have a source. Source = {self.source}') -+ if self.operation == 'mount' and not self.all_options and flags_change_propagation & self.options != set(): -+ if not (self.all_source or self.all_dest): -+ raise AppArmorException(f'Operation {flags_change_propagation & self.options} cannot specify a source. Source = {self.source}') -+ elif not self.all_fstype: -+ raise AppArmorException(f'Operation {flags_change_propagation & self.options} cannot specify a fstype. Fstype = {self.fstype}') - -- self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) -+ if self.operation == 'mount' and not self.all_options and flags_bind_mount & self.options != set() and not self.all_fstype: -+ raise AppArmorException(f'Bind mount rules cannot specify a fstype. Fstype = {self.fstype}') - - self.can_glob = not self.all_source and not self.all_dest and not self.all_options - -diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py -index 7f88ff7db..cb1a89630 100644 ---- a/utils/test/test-mount.py -+++ b/utils/test/test-mount.py -@@ -43,12 +43,12 @@ class MountTestParse(AATest): - ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )), - ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )), - ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )), -- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), -- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -- ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), -- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')), -- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -+ ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), -+ ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), -+ ('mount fstype=({ext3,ext4}) options in (ro, sync) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), -+ ('mount fstype in (ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), -+ ('mount fstype in (ext3, ext4) option in (ro, sync) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'sync')), '/a', MountRule.ALL, False, False, False, ' #cmt')), -+ ('mount fstype=(ext3, ext4) option=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), - ('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,', - MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', - '/tmp/snap.rootfs_*{,/usr}/lib/modules/', -@@ -68,6 +68,17 @@ class MountTestParse(AATest): - expected.raw_rule = rawrule.strip() - self.assertTrue(obj.is_equal(expected, True)) - -+ def test_valid_mount_changing_propagation(self): -+ # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both. -+ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), '/foo', MountRule.ALL) -+ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), MountRule.ALL, '/foo') -+ -+ def test_valid_bind_mount(self): -+ # Fstype must remain empty in bind rules -+ MountRule('mount', MountRule.ALL, ('=', ('bind')), '/foo', MountRule.ALL) -+ MountRule('mount', MountRule.ALL, ('=', ('bind')), MountRule.ALL, '/bar') -+ MountRule('mount', MountRule.ALL, ('=', ('bind')), '/foo', '/bar') -+ - - class MountTestParseInvalid(AATest): - tests = ( -@@ -143,6 +154,20 @@ class MountTestParseInvalid(AATest): - with self.assertRaises(AppArmorException): - MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL) - -+ def test_invalid_mount_changing_propagation(self): -+ # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both. -+ with self.assertRaises(AppArmorException): -+ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), '/foo', '/bar') -+ -+ # Rules changing propagation type cannot specify a fstype. -+ with self.assertRaises(AppArmorException): -+ MountRule('mount', ('=', ('ext4')), ('=', ('runbindable')), MountRule.ALL, '/foo') -+ -+ def test_invalid_bind_mount(self): -+ # Bind mount rules cannot specify a fstype. -+ with self.assertRaises(AppArmorException): -+ MountRule('mount', ('=', ('ext4')), ('=', ('bind')), MountRule.ALL, '/foo') -+ - - class MountTestGlob(AATest): - def test_glob(self): -diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py -index 451af7d22..60a738aed 100644 ---- a/utils/test/test-parser-simple-tests.py -+++ b/utils/test/test-parser-simple-tests.py -@@ -85,16 +85,6 @@ exception_not_raised = ( - 'mount/bad_1.sd', - 'mount/bad_2.sd', - -- # not checked/detected: "make-*" mount opt and an invalid src -- 'mount/bad_opt_17.sd', -- 'mount/bad_opt_18.sd', -- 'mount/bad_opt_19.sd', -- 'mount/bad_opt_20.sd', -- 'mount/bad_opt_21.sd', -- 'mount/bad_opt_22.sd', -- 'mount/bad_opt_23.sd', -- 'mount/bad_opt_24.sd', -- - 'profile/flags/flags_bad10.sd', - 'profile/flags/flags_bad11.sd', - 'profile/flags/flags_bad12.sd', -@@ -324,19 +314,6 @@ unknown_line = ( - 'bare_include_tests/ok_85.sd', - 'bare_include_tests/ok_86.sd', - -- # Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source -- 'mount/ok_opt_68.sd', -- 'mount/ok_opt_69.sd', -- 'mount/ok_opt_70.sd', -- 'mount/ok_opt_71.sd', -- 'mount/ok_opt_72.sd', -- 'mount/ok_opt_73.sd', -- 'mount/ok_opt_74.sd', -- 'mount/ok_opt_75.sd', -- -- # options=slave with /** src (first rule in the test causes exception) -- 'mount/ok_opt_84.sd', -- - # According to spec mount should be in the form fstype=... options=... and NOT in the form options=... fstype=... - 'mount/ok_opt_combo_3.sd', - 'mount/ok_opt_combo_2.sd', diff --git a/utils-relax-mount-rules.diff b/utils-relax-mount-rules.diff deleted file mode 100644 index dbcf2a7..0000000 --- a/utils-relax-mount-rules.diff +++ /dev/null @@ -1,366 +0,0 @@ -commit eee50538da9a240bc151f26c6cff309808d33590 -Author: Georgia Garcia -Date: Wed May 8 12:58:42 2024 +0000 - - Merge MountRule: Relaxing constraints on fstype and completing AARE support - - - Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name. - - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported). - - MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198 - Approved-by: Christian Boltz - Merged-by: Christian Boltz - - - (cherry picked from commit baa8b67248f3467cde40683600d7a945b05f9a3b) - - dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support - - Co-authored-by: Christian Boltz - -diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py -index f62c08e4b..abfa2b75e 100644 ---- a/utils/apparmor/rule/mount.py -+++ b/utils/apparmor/rule/mount.py -@@ -23,19 +23,7 @@ from apparmor.translations import init_translation - - _ = init_translation() - --# TODO : --# - match correctly AARE on every field --# - Find the actual list of supported filesystems. This one comes from /proc/filesystems. We also blindly accept fuse.* --# - Support path that begin by { (e.g. {,/usr}/lib/...) This syntax is not a valid AARE but is used by usr.lib.snapd.snap-confine.real in Ubuntu and will currently raise an error in genprof if these lines are not modified. --# - Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules. -- --valid_fs = [ -- 'sysfs', 'tmpfs', 'bdevfs', 'procfs', 'cgroup', 'cgroup2', 'cpuset', 'devtmpfs', 'configfs', 'debugfs', 'tracefs', -- 'securityfs', 'sockfs', 'bpf', 'npipefs', 'ramfs', 'hugetlbfs', 'devpts', 'ext3', 'ext2', 'ext4', 'squashfs', -- 'vfat', 'ecryptfs', 'fuseblk', 'fuse', 'fusectl', 'efivarfs', 'mqueue', 'store', 'autofs', 'binfmt_misc', 'overlay', -- 'none', 'bdev', 'proc', 'pipefs', 'pstore', 'btrfs', 'xfs', '9p', 'resctrl', 'zfs', 'iso9660', 'udf', 'ntfs3', -- 'nfs', 'cifs', 'overlayfs', 'aufs', 'rpc_pipefs', 'msdos', 'nfs4', --] -+# TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules. - - flags_keywords = [ - # keep in sync with parser/mount.cc mnt_opts_table! -@@ -48,7 +36,6 @@ flags_keywords = [ - '([A-Za-z0-9])', - ] - join_valid_flags = '|'.join(flags_keywords) --join_valid_fs = '|'.join(valid_fs) - - sep = r'\s*[\s,]\s*' - -@@ -106,27 +93,18 @@ class MountRule(BaseRule): - - self.operation = operation - -- self.fstype, self.all_fstype, unknown_items = check_and_split_list(fstype[1] if fstype != self.ALL else fstype, valid_fs, self.ALL, type(self).__name__, 'fstype') -- -- if unknown_items: -- for it in unknown_items: -- -- # Several filesystems use fuse internally and are referred as fuse. (e.g. fuse.jmtpfs, fuse.s3fs, fuse.obexfs). -- # Since this list seems to evolve too fast for a fixed list to work in practice, we just accept fuse.* -- # See https://github.com/libfuse/libfuse/wiki/Filesystems and, https://doc.ubuntu-fr.org/fuse -- if it.startswith('fuse.') and len(it) > 5: -- continue -- -- it = AARE(it, is_path=False) -- found = False -- for fs in valid_fs: -- if self._is_covered_aare(it, self.all_fstype, AARE(fs, False), self.all_fstype, 'fstype'): -- found = True -- break -- if not found: -- raise AppArmorException(_('Passed unknown fstype keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items))) -- -- self.is_fstype_equal = fstype[0] if not self.all_fstype else None -+ if fstype == self.ALL or fstype[1] == self.ALL: -+ self.all_fstype = True -+ self.fstype = None -+ self.is_fstype_equal = None -+ else: -+ self.all_fstype = False -+ for it in fstype[1]: -+ l, unused = parse_aare(it, 0, 'fstype') -+ if l != len(it): -+ raise AppArmorException(f'Invalid aare : {it}') -+ self.fstype = fstype[1] -+ self.is_fstype_equal = fstype[0] - - self.options, self.all_options, unknown_items = check_and_split_list(options[1] if options != self.ALL else options, flags_keywords, self.ALL, type(self).__name__, 'options') - if unknown_items: -@@ -173,7 +151,7 @@ class MountRule(BaseRule): - - if r['fstype'] is not None: - is_fstype_equal = r['fstype_equals_or_in'] -- fstype = strip_parenthesis(r['fstype']).replace(',', ' ').split() -+ fstype = parse_aare_list(strip_parenthesis(r['fstype']), 'fstype') - else: - is_fstype_equal = None - fstype = cls.ALL -@@ -316,6 +294,38 @@ class MountRuleset(BaseRuleset): - '''Class to handle and store a collection of Mount rules''' - - -+ -+def parse_aare(s, offset, param): -+ parsed = '' -+ brace_count = 0 -+ for i, c in enumerate(s[offset:], start=offset): -+ if c in [' ', ',', '\t'] and brace_count == 0: -+ break -+ parsed += c -+ if c == '{': -+ brace_count += 1 -+ elif c == '}': -+ brace_count -= 1 -+ if brace_count < 0: -+ raise AppArmorException(f"Unmatched closing brace in {param}: {s[offset:]}") -+ offset = i -+ -+ if brace_count != 0: -+ raise AppArmorException(f"Unmatched opening brace in {param}: {s[offset:]}") -+ -+ return offset + 1, parsed -+ -+ -+def parse_aare_list(s, param): -+ res = [] -+ offset = 0 -+ while offset <= len(s): -+ offset, part = parse_aare(s, offset, param) -+ if part.translate(' ,\t') != '': -+ res.append(part) -+ return res -+ -+ - def wrap_in_with_spaces(value): - ''' wrap 'in' keyword in spaces, and leave everything else unchanged ''' - -diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py -index e37c287c7..7f88ff7db 100644 ---- a/utils/test/test-mount.py -+++ b/utils/test/test-mount.py -@@ -20,7 +20,7 @@ from common_test import AATest, setup_all_loops - from apparmor.common import AppArmorException, AppArmorBug - from apparmor.translations import init_translation - --from apparmor.rule.mount import MountRule, valid_fs -+from apparmor.rule.mount import MountRule - - _ = init_translation() - -@@ -31,34 +31,34 @@ class MountTestParse(AATest): - # Rule Operation Filesystem Options Source Destination Audit Deny Allow Comment - ('mount -> **,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '**', False, False, False, '' )), - ('mount options=(rw, shared) -> **,', MountRule('mount', MountRule.ALL, ('=', ('rw', 'shared')), MountRule.ALL, '**', False, False, False, '' )), -- ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('bpf')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), -- ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.obex*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), -- ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), -- ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ("bpf")), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )), -+ ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), -+ ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.obex*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), -+ ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), -+ ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )), - ('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), -- ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), -+ ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '' )), - ('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '' )), -- ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )), -+ ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )), - ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )), -- ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/a', '/b', False, False, False, '' )), -- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), -- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -- ('mount fstype=(ext3, ext4) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), -- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')), -- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -+ ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )), -+ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), -+ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -+ ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), -+ ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), -+ ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')), -+ ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), - ('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,', - MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', - '/tmp/snap.rootfs_*{,/usr}/lib/modules/', - False, False, False, '' )), - ('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), -- ('umount fstype=ext3,', MountRule('umount', ('=', ('ext3')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), -+ ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )), - - ('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), -- ('remount fstype=ext4,', MountRule('remount', ('=', ('ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), -+ ('remount fstype=ext4,', MountRule('remount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), - ('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '' )), - ) - -@@ -72,7 +72,6 @@ class MountTestParse(AATest): - class MountTestParseInvalid(AATest): - tests = ( - ('mount fstype=,', AppArmorException), -- ('mount fstype=(foo),', AppArmorException), - ('mount fstype=(),', AppArmorException), - ('mount options=(),', AppArmorException), - ('mount option=(invalid),', AppArmorException), -@@ -90,7 +89,7 @@ class MountTestParseInvalid(AATest): - - def test_diff_non_mountrule(self): - exp = namedtuple('exp', ('audit', 'deny')) -- obj = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) -+ obj = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL) - with self.assertRaises(AppArmorBug): - obj.is_equal(exp(False, False), False) - -@@ -98,9 +97,25 @@ class MountTestParseInvalid(AATest): - with self.assertRaises(AppArmorBug): - MountRule('mount', ('ext3', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in' - -- def test_diff_invalid_fstype_keyword(self): -- with self.assertRaises(AppArmorException): -- MountRule('mount', ('=', 'invalidfs'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in' -+ def test_diff_invalid_fstype_aare(self): -+ tests = [ -+ 'mount fstype=({unclosed_regex),', -+ 'mount fstype=({closed}twice}),', -+ ] -+ -+ for t in tests: -+ with self.assertRaises(AppArmorException): -+ MountRule.create_instance(t) -+ -+ def test_diff_invalid_fstype_aare_2(self): -+ fslists = [ -+ ['invalid_{_regex'], -+ ['ext4', 'invalid_}_regex'], -+ ['ext4', '{invalid} {regex}'] -+ ] -+ for fslist in fslists: -+ with self.assertRaises(AppArmorException): -+ MountRule('mount', ('=', fslist), MountRule.ALL, MountRule.ALL, MountRule.ALL) - - def test_diff_invalid_options_equals_or_in(self): - with self.assertRaises(AppArmorBug): -@@ -111,7 +126,7 @@ class MountTestParseInvalid(AATest): - MountRule('mount', MountRule.ALL, ('=', 'invalid'), MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in' - - def test_diff_fstype(self): -- obj1 = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) -+ obj1 = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL) - obj2 = MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL) - self.assertFalse(obj1.is_equal(obj2, False)) - -@@ -129,14 +144,6 @@ class MountTestParseInvalid(AATest): - MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL) - - --class MountTestFilesystems(AATest): -- def test_fs(self): -- with open('/proc/filesystems') as f: -- for line in f: -- fs_name = line.split()[-1] -- self.assertTrue(fs_name in valid_fs, '/proc/filesystems contains %s which is not listed in MountRule valid_fs' % fs_name) -- -- - class MountTestGlob(AATest): - def test_glob(self): - globList = [( -@@ -199,49 +206,58 @@ class MountIsCoveredTest(AATest): - def test_is_covered(self): - obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*') - tests = [ -- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b', '/bar'), -- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/b') -+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b', '/bar'), -+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/b') - ] - for test in tests: - self.assertTrue(obj.is_covered(MountRule(*test))) - self.assertFalse(obj.is_equal(MountRule(*test))) - - def test_is_covered_fs_source(self): -- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL) -- self.assertTrue(obj.is_covered(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL))) -- self.assertFalse(obj.is_equal(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL))) -+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL) -+ self.assertTrue(obj.is_covered(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL))) -+ self.assertFalse(obj.is_equal(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL))) - -- def test_is_covered_regex(self): -- obj = MountRule('mount', ('=', ('sys*', 'fuse.*')), ('=', ('ro')), 'tmpfs', MountRule.ALL) -+ def test_is_covered_aare_1(self): -+ obj = MountRule('mount', ('=', ['sys*', 'fuse.*']), ('=', ('ro')), 'tmpfs', MountRule.ALL) - tests = [ -- ('mount', ('=', ('sysfs', 'fuse.s3fs')), ('=', ('ro')), 'tmpfs', MountRule.ALL), -- ('mount', ('=', ('sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso')), ('=', ('ro')), 'tmpfs', MountRule.ALL) -+ ('mount', ('=', ['sysfs', 'fuse.s3fs']), ('=', ('ro')), 'tmpfs', MountRule.ALL), -+ ('mount', ('=', ['sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL) -+ ] -+ for test in tests: -+ self.assertTrue(obj.is_covered(MountRule(*test))) -+ self.assertFalse(obj.is_equal(MountRule(*test))) -+ def test_is_covered_aare_2(self): -+ obj = MountRule('mount', ('=', ['ext{3,4}', '{cgroup*,fuse.*}']), ('=', ('ro')), 'tmpfs', MountRule.ALL) -+ tests = [ -+ ('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL), -+ ('mount', ('=', ['ext3', 'ext4', 'cgroup', 'cgroup2', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL) - ] - for test in tests: - self.assertTrue(obj.is_covered(MountRule(*test))) - self.assertFalse(obj.is_equal(MountRule(*test))) - - def test_is_notcovered(self): -- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*') -+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/b*') - tests = [ -- ('mount', ('in', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ), -- ('mount', ('=', ('procfs', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ), -- ('mount', ('=', ('ext3')), ('=', ('rw')), '/foo/bar', '/bar' ), -- ('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/foo/b*', '/bar' ), -+ ('mount', ('in', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ), -+ ('mount', ('=', ['procfs', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ), -+ ('mount', ('=', ['ext3']), ('=', ('rw')), '/foo/bar', '/bar' ), -+ ('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/foo/b*', '/bar' ), - ('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar' ), -- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/invalid/bar', '/bar' ), -+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/invalid/bar', '/bar' ), - ('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ), - ('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ), -- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', '/bar' ), -- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/invalid'), -+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', '/bar' ), -+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/invalid'), - ] - for test in tests: - self.assertFalse(obj.is_covered(MountRule(*test))) - self.assertFalse(obj.is_equal(MountRule(*test))) - - def test_is_not_covered_fs_source(self): -- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL) -- test = ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'procfs', MountRule.ALL) -+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL) -+ test = ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'procfs', MountRule.ALL) - self.assertFalse(obj.is_covered(MountRule(*test))) - self.assertFalse(obj.is_equal(MountRule(*test))) - -diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py -index 40f61ef85..451af7d22 100644 ---- a/utils/test/test-parser-simple-tests.py -+++ b/utils/test/test-parser-simple-tests.py -@@ -324,9 +324,6 @@ unknown_line = ( - 'bare_include_tests/ok_85.sd', - 'bare_include_tests/ok_86.sd', - -- # mount with fstype using AARE -- 'mount/ok_12.sd', -- - # Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source - 'mount/ok_opt_68.sd', - 'mount/ok_opt_69.sd',