pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 452189 from security:apparmor

Browse Source 
[New attemp with /var/lib/apparmor/cache as cache location, as discussed
with DimStar on IRC. No other differences compared to SR 449669.]

- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/.
  This is part of the root partition (at least with default partitioning)
  and should be available earlier than /var/cache/apparmor/
  (boo#1015249, boo#980081, bsc#1016259)
- add dependency on var-lib.mount to apparmor.service as safety net

- update to AppArmor 2.10.2 maintenance release
  - lots of bugfixes and profile updates (including boo#1000201,
    boo#1009964, boo#1014463)
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details
- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression
  in aa-unconfined
- drop upstream(ed) patches:
  - changes-since-2.10.1--r3326..3346.diff
  - changes-since-2.10.1--r3347..3353.diff
  - libapparmor-fix-import-path.diff (upstream fix is slightly different)
  - nscd-var-lib.diff
- refresh apparmor-abstractions-no-multiline.diff

OBS-URL: https://build.opensuse.org/request/show/452189
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=97
This commit is contained in:
Dominique Leuenberger 2017-01-27 09:39:55 +00:00 committed by Git OBS Bridge
commit cd42aa3f12
13 changed files with 98 additions and 1314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
aa-unconfined-fix-netstat-call-2.10r3380.diff Normal file
View File

@ -0,0 +1,39 @@
------------------------------------------------------------
revno: 3380
committer: Steve Beattie <sbeattie@ubuntu.com>
branch nick: 2.10
timestamp: Mon 2017-01-09 09:22:58 -0800
message:
Subject: utils/aa-unconfined: fix netstat invocation regression
It was reported that converting the netstat command to examine
processes bound to ipv6 addresses broke on OpenSUSE due to the version
of nettools not supporting the short -4 -6 arguments.
This patch fixes the invocation of netstat to use the "--protocol
inet,inet6" arguments instead, which should return the same results
as the short options.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'utils/aa-unconfined'
--- utils/aa-unconfined 2016-12-05 09:21:27 +0000
+++ utils/aa-unconfined 2017-01-09 17:22:58 +0000
@@ -46,10 +46,10 @@
regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
import subprocess
if sys.version_info < (3, 0):
- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
+ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n")
else:
#Python3 needs to translate a stream of bytes to string with specified encoding
- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
+ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n")
for line in output:
match = regex_tcp_udp.search(line)
vim:ft=diff

3
apparmor-2.10.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:07a76f338304baadc4ad69d025fe000b1ab4779a251ae8f338afdc13ef1e0f24
size 4494037

17
apparmor-2.10.1.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJXF0iqAAoJEGaJ5k49NmS7uXAP/Rz605sXSgJ0ZwZQq/kyP4L6
Z7nz7Bv5dgRiVP47C1c/Fv+uJkOxJ5nJKRog6KzaLHrjcRMlyAvWRq+F3MtrwE2j
6OlhWL3NaPrUwe8Pchgzf89ogssvioD7+qUf/Rg6e7owL8SlWRFkRcOJFAoxqiF1
B0itE7geuj6jxADxfo0OUOGW92tH5y31FZcYCCpebUfvalN9JzwYnF9Y6qH2Af3G
gX4Xh8tyIIZGyTtQYexPnDle6DQFONsUzmRYaFIpZRYpKHz9HoM13KZTUY4TAZJL
VmzxbHS5FzRIOegZVrpydpYkupvQ5CndywaIGDC/7iPQ1cNxdQoxGY4qI/+dB6LZ
0ZfRS88TqE/+OglyfLHgxtxPw369PnvB+kWsND5Nqx77q7/UOQUZJZL0A3nKVcUG
YlJnV/SIKGSUE4TjQ+xjPMlI8EJgv42rVSRhi3H6g7+02Q1S9VHuzU8byQsx3fw0
PzAeBVBoB0i1MduwpZp1kO7L0Yfl+1zyrue8Bd5A5183lbriaSYRqB6MYSKUgf4f
rSdEs8azwmqD2jZsIAAuTgZxCf5LKlkKz/u52fKKG9Pa30OC2bSdHz9LLjVKj+OL
Lh8lO1hy3nnReLdsh4TKAQsTBsYTZuHXIbqfMxc0oykuRbwBHAjGO22t4wi6vdtp
E7Wco+q0mMZzKGjQm6H/
=M5Cf
-----END PGP SIGNATURE-----

3
apparmor-2.10.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3
size 4497918

16
apparmor-2.10.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj
EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA
cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi
KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY
Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi
qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa
xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1
VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF
mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL
Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T
kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3
=l0m2
-----END PGP SIGNATURE-----

8
apparmor-abstractions-no-multiline.diff
View File

@ -3,10 +3,10 @@ Index: profiles/apparmor.d/abstractions/X
===================================================================
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
@@ -24,12 +24,8 @@
@@ -25,12 +25,8 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,
/tmp/.X11-unix/* rw,
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@ -122,7 +122,7 @@ Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
@@ -58,108 +33,47 @@
@@ -58,108 +36,47 @@
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
@ -282,7 +282,7 @@ Index: profiles/apparmor.d/abstractions/gnome
===================================================================
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
@@ -88,6 +88,4 @@
@@ -91,6 +91,4 @@
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)

25
apparmor.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de
- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/.
This is part of the root partition (at least with default partitioning)
and should be available earlier than /var/cache/apparmor/
(boo#1015249, boo#980081, bsc#1016259)
- add dependency on var-lib.mount to apparmor.service as safety net
-------------------------------------------------------------------
Tue Jan 10 22:15:56 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.10.2 maintenance release
- lots of bugfixes and profile updates (including boo#1000201,
boo#1009964, boo#1014463)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details
- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression
in aa-unconfined
- drop upstream(ed) patches:
- changes-since-2.10.1--r3326..3346.diff
- changes-since-2.10.1--r3347..3353.diff
- libapparmor-fix-import-path.diff (upstream fix is slightly different)
- nscd-var-lib.diff
- refresh apparmor-abstractions-no-multiline.diff
-------------------------------------------------------------------
Sun Oct 23 13:18:43 UTC 2016 - suse-beta@cboltz.de

1
apparmor.service
View File

@ -3,6 +3,7 @@ Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
After=var-lib.mount
ConditionSecurity=apparmor
[Service]

29
apparmor.spec
View File

@ -1,8 +1,8 @@
#
# spec file for package apparmor
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2011-2016 Christian Boltz
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2011-2017 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -60,7 +60,7 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.10.1
Version: 2.10.2
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -82,8 +82,8 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch3: apparmor-utils-string-split
# upstream changes/fixes from 2.10 branch r3326..3346
Patch4: changes-since-2.10.1--r3326..3346.diff
# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380)
Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch5: ruby-2_0-mkmf-destdir.patch
@ -95,15 +95,6 @@ Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet)
Patch8: libapparmor-fix-import-path.diff
# upstream changes/fixes from 2.10 branch r3347..3353
Patch9: changes-since-2.10.1--r3347..3353.diff
# update nscd profile and abstractions/nameservice to allow /var/lib/nscd/ paths (submitted upstream 2016-10-23)
Patch10: nscd-var-lib.diff
Url: https://launchpad.net/apparmor
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -453,9 +444,6 @@ SubDomain.
%patch6
%patch7 -p1
%patch8
%patch9
%patch10
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
@ -572,9 +560,9 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%makeinstall -C parser
# default cache dir is /etc/apparmor.d/cache - not the best location.
# Use /var/cache/apparmor and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache )
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
@ -645,7 +633,6 @@ echo -------------------------------------------------------------------
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
%dir %{_localstatedir}/cache/apparmor
%if %{distro} == "suse"
/sbin/rcsubdomain
/sbin/rcapparmor

875
changes-since-2.10.1--r3326..3346.diff
View File

@ -1,875 +0,0 @@
------------------------------------------------------------
revno: 3346
behebt den Fehler: https://launchpad.net/bugs/1538306
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-08-15 22:06:47 +0200
message:
Fix aa-logprof "add hat" endless loop
This turned out to be a simple case of misinterpreting the promptUser()
result - it returns the answer and the selected option, and
"surprisingly" something like
('CMD_ADDHAT', 0)
never matched
'CMD_ADDHAT'
;-)
I also noticed that the new hat doesn't get initialized as
profile_storage(), and that the changed profile doesn't get marked as
changed. This is also fixed by this patch.
References: https://bugs.launchpad.net/apparmor/+bug/1538306
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3345
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Fri 2016-08-12 12:02:43 +0200
message:
type_is_str(): make pyflakes3 happy
pyflakes3 doesn't check sys.version and therefore complains about
'unicode' being undefined.
This patch defines unicode as alias of str to make pyflakes3 happy, and
as a side effect, simplifies type_is_str().
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
------------------------------------------------------------
revno: 3344
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-08-08 23:16:12 +0200
message:
delete_duplicates(): don't modify self.rules while looping over it
By calling self.delete() inside the delete_duplicates() loop, the
self.rules list was modified. This resulted in some rules not being
checked and therefore (some, not all) superfluous rules not being
removed.
This patch switches to a temporary variable to loop over, and rebuilds
self.rules with the rules that are not superfluous.
This also fixes some strange issues already marked with a "Huh?" comment
in the tests.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
therefore the cleanprof_test.out change doesn't make sense for 2.10.
------------------------------------------------------------
revno: 3343
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-08-03 21:53:06 +0200
message:
winbindd profile: allow dac_override
This is needed to delete kerberos ccache files, for details see
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3342
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-07-31 17:15:42 +0200
message:
logparser: store network-related params if an event looks like network
Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.
This fixes the test failure introduced in my last commit.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3341
behebt den Fehler: https://launchpad.net/bugs/1577051
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sat 2016-07-30 00:44:18 +0200
message:
logparser.py: ignore network events with 'send receive'
We already ignore network events that look like file events (based on
the operation keyword) if they have a request_mask of 'send' or
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
It turned out that both can happen at once, so we should also ignore
this case.
Also add the now-ignored log event as test_multi testcase.
References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3340
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Fri 2016-07-29 11:46:16 -0700
message:
add ld.so.preload to <abstractions/base>, thanks to Uzair Shamim
------------------------------------------------------------
revno: 3339
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Tue 2016-07-26 21:13:49 +0200
message:
Allow mr for /usr/lib*/ldb/*.so in samba abstractions
This is needed for winbindd (since samba 4.4.x), but smbd could also need it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3338
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Fri 2016-06-24 10:36:42 -0700
message:
intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo.
------------------------------------------------------------
revno: 3337
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-06-22 15:15:42 -0700
message:
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 21 Jun 2016 18:18:45 +0100
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf
Follow the same logic we already did for NetworkManager,
resolvconf and systemd-resolved. The wonderful thing about
standards is that there are so many to choose from.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[modified by sarnold to fit the surroundings]
------------------------------------------------------------
revno: 3336
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-06-05 23:43:55 +0200
message:
Add a note about still enforcing deny rules to aa-complain manpage
This behaviour makes sense (for example to force the confined program to
use a fallback path), but is probably surprising for users, so we should
document it.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3335
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-06-05 20:07:33 +0200
message:
honor 'chown' file events in logparser.py
Also add a testcase to libapparmor's log collection
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3334
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-06-01 21:06:25 +0200
message:
aa-genprof: ask about profiles in extra dir (again)
Thanks to reading the wrong directory in read_inactive_profiles()
(profile_dir instead of extra_profile_dir), aa-genprof never asked about
using a profile from the extra_profile_dir.
Sounds like an easy fix, right? ;-)
After fixing this (last chunk), several other errors popped up, one
after the other:
- get_profile() missed a required parameter in a serialize_profile() call
- when saving the profile, it was written to extra_profile_dir, not to
profile_dir where it (as a now-active profile) should be. This is
fixed by removing the filename from existing_profiles{} so that it can
pick up the default name.
- CMD_FINISHED (when asking if the extra profile should be used or a new
one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising
for the user. Remove it to avoid confusion.
- displaying the extra profile was only implemented in YaST mode
- get_pager() returned None, not an actual pager. Since we have 'less'
hardcoded at several places, also return it in get_pager()
Finally, also remove CMD_FINISHED from the get_profile() test in
test-translations.py.
(test-translations.py is only in trunk, therefore this part of the patch
is obviously trunk-only.)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk
Acked-by: John Johansen <john.johansen@canonical.com> for trunk + a 50% ACK for 2.10 and 2.9
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3333
behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-05-23 23:32:23 +0200
message:
Ignore file events with a request mask of 'send' or 'receive'
Those events are actually network events, so ideally we should map them
as such. Unfortunately this requires bigger changes, so here is a hotfix
that ignores those events and thus avoids crashing aa-logprof.
References: https://bugs.launchpad.net/apparmor/+bug/1577051
https://bugs.launchpad.net/apparmor/+bug/1582374
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3332
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-05-22 14:51:55 +0200
message:
Document empty quotes ("") as empty value of a variable
Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches where this makes sense :)
------------------------------------------------------------
revno: 3331
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-05-18 21:18:34 +0200
message:
allow inet6 in ping profile
The latest iputils merged ping and ping6 into a single binary that does
both IPv4 and IPv6 pings (by default, it really does both).
This means we need to allow network inet6 raw in the ping profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596
(contains more details and example output)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3330
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-05-11 17:23:22 -0700
message:
dbus-session-strict: allow access to the user bus socket
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 4 May 2016 13:48:36 +0100
Subject: dbus-session-strict: allow access to the user bus socket
If dbus is configured with --enable-user-bus (for example in the
dbus-user-session package in Debian and its derivatives), and the user
session is started with systemd, then the "dbus-daemon --session" will be
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
on systems where dbus-daemon has been replaced with kdbus, the
bridge/proxy used to provide compatibility with the traditional D-Bus
protocol listens on that same socket.
In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
where $uid represents the numeric uid. I have not used /{var/,}run here,
because systemd does not support configurations where /var/run and /run
are distinct; in practice, /var/run is a symbolic link.
Based on a patch by Sjoerd Simons, which originally used the historical
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
user-session-units git repository, but has never been used in a released
version of dbus and should be considered unsupported.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
------------------------------------------------------------
revno: 3329
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-05-11 16:30:29 -0700
message:
syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 11 May 2016 13:52:56 +0100
Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
This test attempts to auto-skip the sysctl() part if that syscall
was not compiled into the current kernel, via
CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work,
for two reasons:
* Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if",
and it had nonzero exit status, the trap on ERR was triggered,
causing execution of the error_handler() shell function, which
aborts the test with a failed status. The rules for ERR are the
same as for "set -e", so we can circumvent it in the same ways.
* Because sysctl_syscall.c prints its diagnostic message to stderr,
but the $() operator only captures stdout, it never matched
in the string comparison. This is easily solved by redirecting
its stderr to stdout.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
------------------------------------------------------------
revno: 3328
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Tue 2016-05-10 14:34:40 +0200
message:
load variables in ask_the_questions()
Variables can be used in several rule types (from the existing *Rule
classes: change_profile, dbus, ptrace, signal). It seems nobody uses
variables with those rules, otherwise we'd have received a bugreport ;-)
I noticed this while working on FileRule, where usage of variables is
more common. The file code in bzr (not using a *Rule class) already
loads the variables, so old versions don't need changes for file rule
handling.
However, 2.10 already has ChangeProfileRule and therefore also needs
this fix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
------------------------------------------------------------
revno: 3327
behebt den Fehler: https://launchpad.net/bugs/1453300
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Thu 2016-05-05 12:02:11 +0200
message:
accept hostname with dots
Some people have the full hostname in their syslog messages, so
libapparmor needs to accept hostnames that contain dots.
References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments
#1 and #2 (the log samples reported by scrx in #apparmor)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3326
tags: apparmor_2.10.1
committer: John Johansen <john.johansen@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-04-20 02:07:34 -0700
message:
common/Version: prepare for 2.10.1 release
=== modified file 'changehat/mod_apparmor/mod_apparmor.pod'
--- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000
+++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000
@@ -65,7 +65,7 @@
AAHatName allows you to specify a hat to be used for a given Apache
E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or
-E<lt>LocationMatchE<gt> directive (see the Apache documenation for more
+E<lt>LocationMatchE<gt> directive (see the Apache documentation for more
details). Note that mod_apparmor behavior can become confused if
E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled
and it is recommended to use one type of directive. If the hat specified by
=== modified file 'libraries/libapparmor/src/scanner.l'
--- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000
+++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000
@@ -178,7 +178,7 @@
hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2}
timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2}
syslog_time {hhmmss}({period}{digits})?{timezone}?
-syslog_hostname [[:alnum:]_-]+
+syslog_hostname [[:alnum:]._-]+
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
%x single_quoted_string
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in'
--- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000
@@ -0,0 +1,1 @@
+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out'
--- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000
@@ -0,0 +1,15 @@
+START
+File: file_chown.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1465133533.431:728
+Operation: chown
+Mask: w
+Denied Mask: w
+fsuid: 0
+ouid: 4
+Profile: /usr/sbin/cupsd
+Name: /run/cups/certs/
+Command: cupsd
+PID: 8515
+Epoch: 1465133533
+Audit subid: 728
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in'
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000
@@ -0,0 +1,1 @@
+Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out'
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000
@@ -0,0 +1,15 @@
+START
+File: syslog_hostname_with_dot.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1442256553.643:40143
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 110
+Profile: /opt/evoke/venv/bin/gunicorn
+Name: /opt/evoke/venv/lib/python2.7/warnings.pyc
+Command: gunicorn
+PID: 28943
+Epoch: 1442256553
+Audit subid: 40143
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000
@@ -0,0 +1,1 @@
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000
@@ -0,0 +1,19 @@
+START
+File: testcase_network_send_receive.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1469785325.122:21021
+Operation: file_inherit
+Mask: send receive
+Denied Mask: send receive
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
+Command: sh
+PID: 18239
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.10.3
+Foreign addr: 54.153.70.241
+Local port: 50758
+Foreign port: 443
+Epoch: 1469785325
+Audit subid: 21021
=== modified file 'parser/apparmor.d.pod'
--- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000
+++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000
@@ -1234,7 +1234,8 @@
The parser will automatically expand variables to include all values
that they have been assigned; it is an error to reference a variable
-without setting at least one value.
+without setting at least one value. You can use empty quotes ("") to
+explicitly add an empty value.
At the time of this writing, the following variables are defined in the
provided AppArmor policy:
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000
+++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000
@@ -47,6 +47,7 @@
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
/etc/ld.so.cache mr,
+ /etc/ld.so.preload r,
/lib{,32,64}/ld{,32,64}-*.so mrix,
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
=== modified file 'profiles/apparmor.d/abstractions/dbus-session-strict'
--- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000
@@ -17,6 +17,9 @@
type=stream
peer=(addr="@/tmp/dbus-*"),
+ # dbus with systemd and --enable-user-session
+ owner /run/user/[0-9]*/bus rw,
+
dbus send
bus=session
path=/org/freedesktop/DBus
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000
@@ -33,14 +33,10 @@
/var/lib/sss/pipes/nss rw,
/etc/resolv.conf r,
- # on systems using resolvconf, /etc/resolv.conf is a symlink to
- # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
- # /etc/resolvconf/run/resolv.conf
- /{,var/}run/resolvconf/resolv.conf r,
+ # On systems where /etc/resolv.conf is managed programmatically, it is
+ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
- # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
- # /run/systemd/resolve/resolv.conf
- /{,var/}run/systemd/resolve/resolv.conf r,
/etc/samba/lmhosts r,
/etc/services r,
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000
+++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000
@@ -10,6 +10,7 @@
# ------------------------------------------------------------------
/etc/samba/* r,
+ /usr/lib*/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
=== modified file 'profiles/apparmor.d/bin.ping'
--- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000
+++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000
@@ -18,6 +18,7 @@
capability net_raw,
capability setuid,
network inet raw,
+ network inet6 raw,
/{,usr/}bin/ping mixr,
/etc/modules.conf r,
=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000
+++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000
@@ -7,6 +7,7 @@
deny capability block_suspend,
+ capability dac_override,
capability ipc_lock,
capability setuid,
=== modified file 'tests/regression/apparmor/syscall_sysctl.sh'
--- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000
+++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000
@@ -149,8 +149,7 @@
# generally we want to encourage kernels to disable it, but if it's
# enabled we want to test against it
settest syscall_sysctl
-res=$(${test} ro)
-if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
+if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
echo " WARNING: syscall sysctl not implemented, skipping tests ..."
else
test_syscall_sysctl
=== modified file 'utils/aa-complain.pod'
--- utils/aa-complain.pod 2014-09-15 18:30:47 +0000
+++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000
@@ -41,6 +41,8 @@
In this mode security policy is not enforced but rather access violations
are logged to the system log.
+Note that 'deny' rules will be enforced even in complain mode.
+
=head1 BUGS
If you find any bugs, please report them at
=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof 2015-07-06 20:02:34 +0000
+++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000
@@ -1,6 +1,7 @@
#! /usr/bin/env python
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -17,7 +18,7 @@
import os
import apparmor.aa
-from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes
+from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes
import apparmor.aamode
from apparmor.common import AppArmorException
from apparmor.regex import re_match_include
@@ -283,6 +284,9 @@
if not sev_db:
sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
+ sev_db.unload_variables()
+ sev_db.load_variables(get_profile_filename(profile))
+
for hat in sorted(other.aa[profile].keys()):
#Add the includes from the other profile to the user profile
done = False
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000
+++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
@@ -1,6 +1,6 @@
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-# Copyright (C) 2014-2015 Christian Boltz <apparmor@cboltz.de>
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -557,8 +557,11 @@
inactive_profile[prof_name][prof_name].pop('filename')
profile_hash[uname]['username'] = uname
profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL'
- profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name)
+ profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None)
profile_hash[uname]['profile_data'] = inactive_profile
+
+ existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir
+
# If no profiles in repo and no inactive profiles
if not profile_hash.keys():
return None
@@ -579,18 +582,13 @@
q = aaui.PromptQuestion()
q.headers = ['Profile', prof_name]
- q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE',
- 'CMD_ABORT', 'CMD_FINISHED']
+ q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT']
q.default = "CMD_VIEW_PROFILE"
q.options = options
q.selected = 0
ans = ''
while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans:
- if ans == 'CMD_FINISHED':
- save_profiles()
- return
-
ans, arg = q.promptUser()
p = profile_hash[options[arg]]
q.selected = options.index(options[arg])
@@ -602,12 +600,13 @@
'profile_type': p['profile_type']
})
ypath, yarg = GetDataFromYast()
- #else:
- # pager = get_pager()
- # proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
+ else:
+ pager = get_pager()
+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
# proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
# (options[arg], p['profile']))
- # proc.kill()
+ proc.communicate(p['profile'].encode())
+ proc.kill()
elif ans == 'CMD_USE_PROFILE':
if p['profile_type'] == 'INACTIVE_LOCAL':
profile_data = p['profile_data']
@@ -658,6 +657,7 @@
if not profile_data:
profile_data = create_new_profile(pname)
file = get_profile_filename(pname)
+ profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename
attach_profile_data(aa, profile_data)
attach_profile_data(original_aa, profile_data)
if os.path.isfile(profile_dir + '/tunables/global'):
@@ -1095,7 +1095,7 @@
seen_events += 1
- ans = q.promptUser()
+ ans = q.promptUser()[0]
if ans == 'CMD_FINISHED':
save_profiles()
@@ -1105,7 +1105,9 @@
if ans == 'CMD_ADDHAT':
hat = uhat
+ aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat')
aa[profile][hat]['flags'] = aa[profile][profile]['flags']
+ changed[profile] = True
elif ans == 'CMD_USEDEFAULT':
hat = default_hat
elif ans == 'CMD_DENY':
@@ -1590,6 +1592,10 @@
UI_SelectUpdatedRepoProfile(profile, p)
found += 1
+
+ sev_db.unload_variables()
+ sev_db.load_variables(get_profile_filename(profile))
+
# Sorted list of hats with the profile name coming first
hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys())))
if log_dict[aamode][profile].get(profile, False):
@@ -2305,7 +2311,7 @@
reload_base(profile_name)
def get_pager():
- pass
+ return 'less'
def generate_diff(oldprofile, newprofile):
oldtemp = tempfile.NamedTemporaryFile('w')
@@ -2504,7 +2510,7 @@
except:
fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir)
- for file in os.listdir(profile_dir):
+ for file in os.listdir(extra_profile_dir):
if os.path.isfile(extra_profile_dir + '/' + file):
if is_skippable_file(file):
continue
=== modified file 'utils/apparmor/common.py'
--- utils/apparmor/common.py 2015-12-17 22:38:02 +0000
+++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000
@@ -245,11 +245,12 @@
return False
return True
+if sys.version_info[0] > 2:
+ unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str.
+
def type_is_str(var):
''' returns True if the given variable is a str (or unicode string when using python 2)'''
- if type(var) == str:
- return True
- elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type
+ if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type
return True
else:
return False
=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000
+++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000
@@ -133,7 +133,7 @@
ev['denied_mask'] = event.denied_mask
ev['request_mask'] = event.requested_mask
ev['magic_token'] = event.magic_token
- if ev['operation'] and self.op_type(ev['operation']) == 'net':
+ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol):
ev['family'] = event.net_family
ev['protocol'] = event.net_protocol
ev['sock_type'] = event.net_sock_type
@@ -278,7 +278,7 @@
self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile'])
elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or
- e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src',
+ e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src',
'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link',
'sysctl', 'getattr', 'setattr', 'xattr'] ):
@@ -289,6 +289,13 @@
self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e)
return None
+ # sometimes network events come with an e['operation'] that matches the list of file operations
+ # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
+ # XXX these events are network events, so we should map them as such
+ if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
+ self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
+ return None
+
# Map c (create) and d (delete) to w (logging is more detailed than the profile language)
rmask = e['request_mask']
rmask = rmask.replace('c', 'w')
=== modified file 'utils/apparmor/rule/__init__.py'
--- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000
+++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000
@@ -312,10 +312,13 @@
# delete rules that are covered by include files
if include_rules:
- for rule in self.rules:
- if include_rules.is_covered(rule, True, True):
- self.delete(rule)
+ oldrules = self.rules
+ self.rules = []
+ for rule in oldrules:
+ if include_rules.is_covered(rule, True, False):
deleted += 1
+ else:
+ self.rules.append(rule)
# de-duplicate rules inside the profile
deleted += self.delete_in_profile_duplicates()
=== modified file 'utils/test/test-capability.py'
--- utils/test/test-capability.py 2015-11-23 23:22:37 +0000
+++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000
@@ -817,7 +817,6 @@
inc.add(CapabilityRule.parse(rule))
expected_raw = [
- ' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
@@ -825,11 +824,9 @@
expected_clean = [
' deny capability chgrp, # example comment',
'',
- ' allow capability sys_admin,', # XXX huh? should be deleted!
- '',
]
- self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
+ self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))

324
changes-since-2.10.1--r3347..3353.diff
View File

@ -1,324 +0,0 @@
------------------------------------------------------------
revno: 3353
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Thu 2016-10-13 20:29:59 +0200
message:
syslog-ng profile: allow writing *.qf files
These files are needed for disk-based buffering (added in syslog-ng 3.8).
This was reported to me by Peter Czanik, one of the syslog-ng developers.
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
I prefer not to do it - adding it later is easy, but finding out if it
could be removed is hard ;-)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3352
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-10-05 20:53:37 +0200
message:
Add missing permissions to dovecot profiles
- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
/usr/share/dovecot/**
These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)
References: https://bugs.debian.org/835826
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Also allow reading ~/.dovecot.svbin (that's the default filename in the
dovecot config) in dovecot/lmtp profile.
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
that's already covered by the existing rules.)
References: https://bugs.debian.org/835826 (again)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3351
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-10-03 21:02:15 +0200
message:
Drop CMD_CONTINUE from ui.py (twice)
The latest version of pyflakes (1.3.0 / python 3.5) complains that
CMD_CONTINUE is defined twice in ui.py (with different texts).
Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3350
behebt den Fehler: https://launchpad.net/bugs/1379874
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sat 2016-10-01 20:25:51 +0200
message:
[39/38] Ignore exec events for non-existing profiles
The switch to FileRule made some bugs visible that survived unnoticed
with hasher for years.
If aa-logprof sees an exec event for a non-existing profile _and_ a
profile file matching the expected profile filename exists in
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
being silent). In the old code, this created a superfluous entry
somewhere in the aa hasher, and caused the existing profile to be
rewritten (without changes).
However, with FileRule it causes a crash saying
File ".../utils/apparmor/aa.py", line 1335, in handle_children
aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
AttributeError: 'collections.defaultdict' object has no attribute 'add'
This patch makes sure exec events for unknown profiles get ignored.
Reproducer:
python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
This causes a crash without this patch because
/etc/apparmor.d/sbin.klogd exists, but has
profile klogd /{usr/,}sbin/klogd {
References: https://bugs.launchpad.net/bugs/1379874
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
*** *** *** backport
*** *** *** --fixes lp:1379874
------------------------------------------------------------
revno: 3349
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Fri 2016-09-30 00:08:08 +0200
message:
Allow both paths in traceroute profile
In 2011 (r1803), the traceroute profile was changed to also match
/usr/bin/traceroute.db:
/usr/{sbin/traceroute,bin/traceroute.db} {
However, permissions for /usr/bin/traceroute.db were never added.
This patch fixes this.
While on it, also change the /usr/sbin/traceroute permissions from
rmix to the less confusing mrix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3348
committer: Tyler Hicks <tyhicks@canonical.com>
branch nick: apparmor-2.10
timestamp: Wed 2016-09-14 12:50:43 -0500
message:
libapparmor: Force libtoolize to replace existing files
Fixes build error when attempting to build and test the 2.10.95 release
on Ubuntu 14.04:
$ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \
make && make check) > /dev/null
...
libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1
libtool: and run autoconf again.
make[2]: *** [grammar.lo] Error 63
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1
The --force option is needed to regenerate the libtool file in
libraries/libapparmor/.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
------------------------------------------------------------
revno: 3347
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-09-12 23:35:00 +0200
message:
Allow 'kcm' in network rules
This is probably
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/networking/kcm.txt
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
=== modified file 'libraries/libapparmor/autogen.sh'
--- libraries/libapparmor/autogen.sh 2014-01-03 23:13:26 +0000
+++ libraries/libapparmor/autogen.sh 2016-09-14 17:50:43 +0000
@@ -38,6 +38,6 @@
echo "Running autoconf"
autoconf --force
echo "Running libtoolize"
-libtoolize --automake -c
+libtoolize --automake -c --force
echo "Running automake"
automake -ac
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng 2015-11-11 15:44:47 +0000
+++ profiles/apparmor.d/sbin.syslog-ng 2016-10-13 18:29:59 +0000
@@ -48,6 +48,7 @@
/{usr/,}sbin/syslog-ng mr,
/sys/devices/system/cpu/online r,
/usr/share/syslog-ng/** r,
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:30 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-05 18:53:37 +0000
@@ -38,7 +38,7 @@
/var/tmp/smtp_* rw,
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- /{var/,}run/dovecot/stats-user w,
+ /{var/,}run/dovecot/stats-user rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.auth>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
--- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-05 18:53:37 +0000
@@ -23,6 +23,7 @@
/usr/bin/doveconf rix,
/usr/lib/dovecot/config mr,
/usr/lib/dovecot/managesieve Px,
+ /usr/share/dovecot/** r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.config>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000
@@ -25,7 +25,14 @@
@{DOVECOT_MAILSTORE}/** rwkl,
@{HOME} r, # ???
- /usr/lib/dovecot/imap mr,
+
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/conf.d/ r,
+ /etc/dovecot/conf.d/** r,
+
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/imap mrix,
+ /usr/share/dovecot/** r,
/{,var/}run/dovecot/auth-master rw,
/{,var/}run/dovecot/mounts r,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2015-04-27 19:33:06 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2016-10-05 18:53:37 +0000
@@ -25,6 +25,8 @@
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
+ @{HOME}/.dovecot.svbin r,
+
/proc/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
--- profiles/apparmor.d/usr.sbin.traceroute 2011-11-30 12:15:21 +0000
+++ profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:08:08 +0000
@@ -20,7 +20,8 @@
network inet raw,
network inet6 raw,
- /usr/sbin/traceroute rmix,
+ /usr/sbin/traceroute mrix,
+ /usr/bin/traceroute.db mrix,
@{PROC}/net/route r,
# Site-specific additions and overrides. See local/README for details.
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
+++ utils/apparmor/aa.py 2016-10-01 18:25:51 +0000
@@ -1168,6 +1168,9 @@
prelog[aamode][profile][hat]['path'][path] = mode
if do_execute:
+ if not aa[profile][hat]:
+ continue # ignore log entries for non-existing profiles
+
if profile_known_exec(aa[profile][hat], 'exec', exec_target):
continue
=== modified file 'utils/apparmor/rule/network.py'
--- utils/apparmor/rule/network.py 2016-02-18 22:31:56 +0000
+++ utils/apparmor/rule/network.py 2016-09-12 21:35:00 +0000
@@ -27,7 +27,7 @@
network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
- 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
+ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
network_protocol_keywords = ['tcp', 'udp', 'icmp']
=== modified file 'utils/apparmor/ui.py'
--- utils/apparmor/ui.py 2014-11-17 12:30:04 +0000
+++ utils/apparmor/ui.py 2016-10-03 19:02:15 +0000
@@ -249,7 +249,6 @@
'CMD_EXEC_IX_ON': _('(X) ix On'),
'CMD_EXEC_IX_OFF': _('(X) ix Off'),
'CMD_SAVE': _('(S)ave Changes'),
- 'CMD_CONTINUE': _('(C)ontinue Profiling'),
'CMD_NEW': _('(N)ew'),
'CMD_GLOB': _('(G)lob'),
'CMD_GLOBEXT': _('Glob with (E)xtension'),
@@ -278,7 +277,6 @@
'CMD_NET_FAMILY': _('Allow Network Fa(m)ily'),
'CMD_OVERWRITE': _('(O)verwrite Profile'),
'CMD_KEEP': _('(K)eep Profile'),
- 'CMD_CONTINUE': _('(C)ontinue'),
'CMD_IGNORE_ENTRY': _('(I)gnore')
}

42
libapparmor-fix-import-path.diff
View File

@ -1,42 +0,0 @@
Index: libraries/libapparmor/swig/python/Makefile.am
===================================================================
--- libraries/libapparmor/swig/python/Makefile.am.orig 2014-01-06 23:08:55.000000000 +0100
+++ libraries/libapparmor/swig/python/Makefile.am 2016-08-26 18:03:52.526582753 +0200
@@ -6,9 +6,8 @@ SUBDIRS = test
libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i
$(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i
- mv LibAppArmor.py __init__.py
-MOSTLYCLEANFILES=libapparmor_wrap.c __init__.py
+MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
all-local: libapparmor_wrap.c setup.py
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
Index: libraries/libapparmor/swig/python/__init__.py
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ libraries/libapparmor/swig/python/__init__.py 2016-08-26 18:03:16.790763701 +0200
@@ -0,0 +1 @@
+from LibAppArmor.LibAppArmor import *
Index: libraries/libapparmor/swig/python/Makefile.in
===================================================================
--- libraries/libapparmor/swig/python/Makefile.in.orig 2016-04-20 11:09:04.000000000 +0200
+++ libraries/libapparmor/swig/python/Makefile.in 2016-08-26 18:04:51.770288833 +0200
@@ -326,7 +326,7 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@HAVE_PYTHON_TRUE@EXTRA_DIST = libapparmor_wrap.c
@HAVE_PYTHON_TRUE@SUBDIRS = test
-@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c __init__.py
+@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c LibAppArmor.py
all: all-recursive
.SUFFIXES:
@@ -648,7 +648,6 @@ uninstall-am:
@HAVE_PYTHON_TRUE@libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i
@HAVE_PYTHON_TRUE@ $(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i
-@HAVE_PYTHON_TRUE@ mv LibAppArmor.py __init__.py
@HAVE_PYTHON_TRUE@all-local: libapparmor_wrap.c setup.py
@HAVE_PYTHON_TRUE@ if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi

26
nscd-var-lib.diff
View File

@ -1,26 +0,0 @@
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:49 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2016-10-22 19:55:04 +0000
@@ -46,7 +46,7 @@
# to vast speed increases when working with network-based lookups.
/{,var/}run/.nscd_socket rw,
/{,var/}run/nscd/socket rw,
- /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts} r,
+ /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
/{,var/}run/nscd/db* rmix,
=== modified file 'profiles/apparmor.d/usr.sbin.nscd'
--- profiles/apparmor.d/usr.sbin.nscd 2016-03-21 20:30:19 +0000
+++ profiles/apparmor.d/usr.sbin.nscd 2016-10-22 19:54:36 +0000
@@ -28,7 +28,7 @@
/{,var/}run/nscd/ rw,
/{,var/}run/nscd/db* rwl,
/{,var/}run/nscd/socket wl,
- /{var/cache,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+ /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
/{,var/}run/{nscd/,}nscd.pid rwl,
/var/log/nscd.log rw,
@{PROC}/@{pid}/cmdline r,