cc896b26e3
- add changes-since-2.10.1--r3326..3346.diff with upstream changes and fixes since the 2.10.1 release, including - allow dac_override in winbindd profile (boo#990006#c5) - allow mr for /usr/lib*/ldb/*.so in samba abstractions (needed since Samba 4.4.x, boo#990006) - abstractions/nameservice: also support ConnMan-managed resolv.conf - let aa-genprof ask about profiles in extra dir (again) - fix aa-logprof "add hat" endless loop (lp#1538306) - honor 'chown' file events in logparser.py - ignore log file events with a request mask of 'send' or 'receive' because they are actually network events (lp#1577051, lp#1582374) - accept hostname with dots when parsing logs (lp#1453300 comments #1 and #2) - fix python LibAppArmor import failures with swig > 3.0.8 (boo#987607) (libapparmor-fix-import-path.diff) - refresh apparmor-abstractions-no-multiline.diff - drop upstreamed profiles-ping-inet6-r3449.diff - add %check section - runs libapparmor (including swig bindings), parser and profiles tests - add BuildRequires: perl(Locale::gettext) - needed for parser tests OBS-URL: https://build.opensuse.org/request/show/423291 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=152
876 lines
35 KiB
Diff
876 lines
35 KiB
Diff
------------------------------------------------------------
|
|
revno: 3346
|
|
behebt den Fehler: https://launchpad.net/bugs/1538306
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Mon 2016-08-15 22:06:47 +0200
|
|
message:
|
|
Fix aa-logprof "add hat" endless loop
|
|
|
|
This turned out to be a simple case of misinterpreting the promptUser()
|
|
result - it returns the answer and the selected option, and
|
|
"surprisingly" something like
|
|
('CMD_ADDHAT', 0)
|
|
never matched
|
|
'CMD_ADDHAT'
|
|
;-)
|
|
|
|
I also noticed that the new hat doesn't get initialized as
|
|
profile_storage(), and that the changed profile doesn't get marked as
|
|
changed. This is also fixed by this patch.
|
|
|
|
|
|
References: https://bugs.launchpad.net/apparmor/+bug/1538306
|
|
|
|
|
|
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3345
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Fri 2016-08-12 12:02:43 +0200
|
|
message:
|
|
type_is_str(): make pyflakes3 happy
|
|
|
|
pyflakes3 doesn't check sys.version and therefore complains about
|
|
'unicode' being undefined.
|
|
|
|
This patch defines unicode as alias of str to make pyflakes3 happy, and
|
|
as a side effect, simplifies type_is_str().
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
------------------------------------------------------------
|
|
revno: 3344
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Mon 2016-08-08 23:16:12 +0200
|
|
message:
|
|
delete_duplicates(): don't modify self.rules while looping over it
|
|
|
|
By calling self.delete() inside the delete_duplicates() loop, the
|
|
self.rules list was modified. This resulted in some rules not being
|
|
checked and therefore (some, not all) superfluous rules not being
|
|
removed.
|
|
|
|
This patch switches to a temporary variable to loop over, and rebuilds
|
|
self.rules with the rules that are not superfluous.
|
|
|
|
This also fixes some strange issues already marked with a "Huh?" comment
|
|
in the tests.
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
|
|
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
|
|
therefore the cleanprof_test.out change doesn't make sense for 2.10.
|
|
------------------------------------------------------------
|
|
revno: 3343
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-08-03 21:53:06 +0200
|
|
message:
|
|
winbindd profile: allow dac_override
|
|
|
|
This is needed to delete kerberos ccache files, for details see
|
|
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
|
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
|
|
------------------------------------------------------------
|
|
revno: 3342
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Sun 2016-07-31 17:15:42 +0200
|
|
message:
|
|
logparser: store network-related params if an event looks like network
|
|
|
|
Network events can come with an operation= that looks like a file event.
|
|
Nevertheless, if the event has a typical network parameter (like
|
|
net_protocol) set, make sure to store the network-related flags in ev.
|
|
|
|
This fixes the test failure introduced in my last commit.
|
|
|
|
|
|
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3341
|
|
behebt den Fehler: https://launchpad.net/bugs/1577051
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Sat 2016-07-30 00:44:18 +0200
|
|
message:
|
|
logparser.py: ignore network events with 'send receive'
|
|
|
|
We already ignore network events that look like file events (based on
|
|
the operation keyword) if they have a request_mask of 'send' or
|
|
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
|
|
It turned out that both can happen at once, so we should also ignore
|
|
this case.
|
|
|
|
Also add the now-ignored log event as test_multi testcase.
|
|
|
|
|
|
References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
|
|
|
|
|
|
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
|
|
------------------------------------------------------------
|
|
revno: 3340
|
|
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
branch nick: 2.10
|
|
timestamp: Fri 2016-07-29 11:46:16 -0700
|
|
message:
|
|
add ld.so.preload to <abstractions/base>, thanks to Uzair Shamim
|
|
------------------------------------------------------------
|
|
revno: 3339
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Tue 2016-07-26 21:13:49 +0200
|
|
message:
|
|
Allow mr for /usr/lib*/ldb/*.so in samba abstractions
|
|
|
|
This is needed for winbindd (since samba 4.4.x), but smbd could also need it.
|
|
|
|
References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
|
------------------------------------------------------------
|
|
revno: 3338
|
|
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
branch nick: 2.10
|
|
timestamp: Fri 2016-06-24 10:36:42 -0700
|
|
message:
|
|
intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo.
|
|
------------------------------------------------------------
|
|
revno: 3337
|
|
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-06-22 15:15:42 -0700
|
|
message:
|
|
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Date: Tue, 21 Jun 2016 18:18:45 +0100
|
|
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf
|
|
|
|
Follow the same logic we already did for NetworkManager,
|
|
resolvconf and systemd-resolved. The wonderful thing about
|
|
standards is that there are so many to choose from.
|
|
|
|
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
[modified by sarnold to fit the surroundings]
|
|
------------------------------------------------------------
|
|
revno: 3336
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Sun 2016-06-05 23:43:55 +0200
|
|
message:
|
|
Add a note about still enforcing deny rules to aa-complain manpage
|
|
|
|
This behaviour makes sense (for example to force the confined program to
|
|
use a fallback path), but is probably surprising for users, so we should
|
|
document it.
|
|
|
|
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37
|
|
|
|
|
|
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3335
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Sun 2016-06-05 20:07:33 +0200
|
|
message:
|
|
honor 'chown' file events in logparser.py
|
|
|
|
Also add a testcase to libapparmor's log collection
|
|
|
|
|
|
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3334
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-06-01 21:06:25 +0200
|
|
message:
|
|
aa-genprof: ask about profiles in extra dir (again)
|
|
|
|
Thanks to reading the wrong directory in read_inactive_profiles()
|
|
(profile_dir instead of extra_profile_dir), aa-genprof never asked about
|
|
using a profile from the extra_profile_dir.
|
|
|
|
Sounds like an easy fix, right? ;-)
|
|
|
|
After fixing this (last chunk), several other errors popped up, one
|
|
after the other:
|
|
- get_profile() missed a required parameter in a serialize_profile() call
|
|
- when saving the profile, it was written to extra_profile_dir, not to
|
|
profile_dir where it (as a now-active profile) should be. This is
|
|
fixed by removing the filename from existing_profiles{} so that it can
|
|
pick up the default name.
|
|
- CMD_FINISHED (when asking if the extra profile should be used or a new
|
|
one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising
|
|
for the user. Remove it to avoid confusion.
|
|
- displaying the extra profile was only implemented in YaST mode
|
|
- get_pager() returned None, not an actual pager. Since we have 'less'
|
|
hardcoded at several places, also return it in get_pager()
|
|
|
|
Finally, also remove CMD_FINISHED from the get_profile() test in
|
|
test-translations.py.
|
|
|
|
|
|
(test-translations.py is only in trunk, therefore this part of the patch
|
|
is obviously trunk-only.)
|
|
|
|
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk
|
|
Acked-by: John Johansen <john.johansen@canonical.com> for trunk + a 50% ACK for 2.10 and 2.9
|
|
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3333
|
|
behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Mon 2016-05-23 23:32:23 +0200
|
|
message:
|
|
Ignore file events with a request mask of 'send' or 'receive'
|
|
|
|
Those events are actually network events, so ideally we should map them
|
|
as such. Unfortunately this requires bigger changes, so here is a hotfix
|
|
that ignores those events and thus avoids crashing aa-logprof.
|
|
|
|
References: https://bugs.launchpad.net/apparmor/+bug/1577051
|
|
https://bugs.launchpad.net/apparmor/+bug/1582374
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3332
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Sun 2016-05-22 14:51:55 +0200
|
|
message:
|
|
Document empty quotes ("") as empty value of a variable
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches where this makes sense :)
|
|
------------------------------------------------------------
|
|
revno: 3331
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-05-18 21:18:34 +0200
|
|
message:
|
|
allow inet6 in ping profile
|
|
|
|
The latest iputils merged ping and ping6 into a single binary that does
|
|
both IPv4 and IPv6 pings (by default, it really does both).
|
|
This means we need to allow network inet6 raw in the ping profile.
|
|
|
|
References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596
|
|
(contains more details and example output)
|
|
|
|
|
|
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
|
|
------------------------------------------------------------
|
|
revno: 3330
|
|
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-05-11 17:23:22 -0700
|
|
message:
|
|
dbus-session-strict: allow access to the user bus socket
|
|
|
|
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Date: Wed, 4 May 2016 13:48:36 +0100
|
|
Subject: dbus-session-strict: allow access to the user bus socket
|
|
|
|
If dbus is configured with --enable-user-bus (for example in the
|
|
dbus-user-session package in Debian and its derivatives), and the user
|
|
session is started with systemd, then the "dbus-daemon --session" will be
|
|
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
|
|
on systems where dbus-daemon has been replaced with kdbus, the
|
|
bridge/proxy used to provide compatibility with the traditional D-Bus
|
|
protocol listens on that same socket.
|
|
|
|
In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
|
|
where $uid represents the numeric uid. I have not used /{var/,}run here,
|
|
because systemd does not support configurations where /var/run and /run
|
|
are distinct; in practice, /var/run is a symbolic link.
|
|
|
|
Based on a patch by Sjoerd Simons, which originally used the historical
|
|
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
|
|
user-session-units git repository, but has never been used in a released
|
|
version of dbus and should be considered unsupported.
|
|
|
|
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
------------------------------------------------------------
|
|
revno: 3329
|
|
committer: Seth Arnold <seth.arnold@canonical.com>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-05-11 16:30:29 -0700
|
|
message:
|
|
syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
|
|
|
|
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Date: Wed, 11 May 2016 13:52:56 +0100
|
|
Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
|
|
|
|
This test attempts to auto-skip the sysctl() part if that syscall
|
|
was not compiled into the current kernel, via
|
|
CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work,
|
|
for two reasons:
|
|
|
|
* Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if",
|
|
and it had nonzero exit status, the trap on ERR was triggered,
|
|
causing execution of the error_handler() shell function, which
|
|
aborts the test with a failed status. The rules for ERR are the
|
|
same as for "set -e", so we can circumvent it in the same ways.
|
|
* Because sysctl_syscall.c prints its diagnostic message to stderr,
|
|
but the $() operator only captures stdout, it never matched
|
|
in the string comparison. This is easily solved by redirecting
|
|
its stderr to stdout.
|
|
|
|
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
------------------------------------------------------------
|
|
revno: 3328
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Tue 2016-05-10 14:34:40 +0200
|
|
message:
|
|
load variables in ask_the_questions()
|
|
|
|
Variables can be used in several rule types (from the existing *Rule
|
|
classes: change_profile, dbus, ptrace, signal). It seems nobody uses
|
|
variables with those rules, otherwise we'd have received a bugreport ;-)
|
|
|
|
I noticed this while working on FileRule, where usage of variables is
|
|
more common. The file code in bzr (not using a *Rule class) already
|
|
loads the variables, so old versions don't need changes for file rule
|
|
handling.
|
|
|
|
However, 2.10 already has ChangeProfileRule and therefore also needs
|
|
this fix.
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
|
------------------------------------------------------------
|
|
revno: 3327
|
|
behebt den Fehler: https://launchpad.net/bugs/1453300
|
|
committer: Christian Boltz <apparmor@cboltz.de>
|
|
branch nick: 2.10
|
|
timestamp: Thu 2016-05-05 12:02:11 +0200
|
|
message:
|
|
accept hostname with dots
|
|
|
|
Some people have the full hostname in their syslog messages, so
|
|
libapparmor needs to accept hostnames that contain dots.
|
|
|
|
|
|
References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments
|
|
#1 and #2 (the log samples reported by scrx in #apparmor)
|
|
|
|
|
|
|
|
Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
|
Acked-by: John Johansen <john.johansen@canonical.com>
|
|
for trunk, 2.10 and 2.9.
|
|
------------------------------------------------------------
|
|
revno: 3326
|
|
tags: apparmor_2.10.1
|
|
committer: John Johansen <john.johansen@canonical.com>
|
|
branch nick: 2.10
|
|
timestamp: Wed 2016-04-20 02:07:34 -0700
|
|
message:
|
|
common/Version: prepare for 2.10.1 release
|
|
=== modified file 'changehat/mod_apparmor/mod_apparmor.pod'
|
|
--- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000
|
|
+++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000
|
|
@@ -65,7 +65,7 @@
|
|
|
|
AAHatName allows you to specify a hat to be used for a given Apache
|
|
E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or
|
|
-E<lt>LocationMatchE<gt> directive (see the Apache documenation for more
|
|
+E<lt>LocationMatchE<gt> directive (see the Apache documentation for more
|
|
details). Note that mod_apparmor behavior can become confused if
|
|
E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled
|
|
and it is recommended to use one type of directive. If the hat specified by
|
|
|
|
=== modified file 'libraries/libapparmor/src/scanner.l'
|
|
--- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000
|
|
+++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000
|
|
@@ -178,7 +178,7 @@
|
|
hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2}
|
|
timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2}
|
|
syslog_time {hhmmss}({period}{digits})?{timezone}?
|
|
-syslog_hostname [[:alnum:]_-]+
|
|
+syslog_hostname [[:alnum:]._-]+
|
|
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
|
|
|
|
%x single_quoted_string
|
|
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err'
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in'
|
|
--- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000
|
|
+++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000
|
|
@@ -0,0 +1,1 @@
|
|
+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4
|
|
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out'
|
|
--- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000
|
|
+++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000
|
|
@@ -0,0 +1,15 @@
|
|
+START
|
|
+File: file_chown.in
|
|
+Event type: AA_RECORD_DENIED
|
|
+Audit ID: 1465133533.431:728
|
|
+Operation: chown
|
|
+Mask: w
|
|
+Denied Mask: w
|
|
+fsuid: 0
|
|
+ouid: 4
|
|
+Profile: /usr/sbin/cupsd
|
|
+Name: /run/cups/certs/
|
|
+Command: cupsd
|
|
+PID: 8515
|
|
+Epoch: 1465133533
|
|
+Audit subid: 728
|
|
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err'
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in'
|
|
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000
|
|
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000
|
|
@@ -0,0 +1,1 @@
|
|
+Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110
|
|
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out'
|
|
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000
|
|
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000
|
|
@@ -0,0 +1,15 @@
|
|
+START
|
|
+File: syslog_hostname_with_dot.in
|
|
+Event type: AA_RECORD_ALLOWED
|
|
+Audit ID: 1442256553.643:40143
|
|
+Operation: open
|
|
+Mask: r
|
|
+Denied Mask: r
|
|
+fsuid: 1000
|
|
+ouid: 110
|
|
+Profile: /opt/evoke/venv/bin/gunicorn
|
|
+Name: /opt/evoke/venv/lib/python2.7/warnings.pyc
|
|
+Command: gunicorn
|
|
+PID: 28943
|
|
+Epoch: 1442256553
|
|
+Audit subid: 40143
|
|
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err'
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in'
|
|
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000
|
|
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000
|
|
@@ -0,0 +1,1 @@
|
|
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"
|
|
|
|
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out'
|
|
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000
|
|
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000
|
|
@@ -0,0 +1,19 @@
|
|
+START
|
|
+File: testcase_network_send_receive.in
|
|
+Event type: AA_RECORD_ALLOWED
|
|
+Audit ID: 1469785325.122:21021
|
|
+Operation: file_inherit
|
|
+Mask: send receive
|
|
+Denied Mask: send receive
|
|
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
|
|
+Command: sh
|
|
+PID: 18239
|
|
+Network family: inet
|
|
+Socket type: stream
|
|
+Protocol: tcp
|
|
+Local addr: 192.168.10.3
|
|
+Foreign addr: 54.153.70.241
|
|
+Local port: 50758
|
|
+Foreign port: 443
|
|
+Epoch: 1469785325
|
|
+Audit subid: 21021
|
|
|
|
=== modified file 'parser/apparmor.d.pod'
|
|
--- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000
|
|
+++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000
|
|
@@ -1234,7 +1234,8 @@
|
|
|
|
The parser will automatically expand variables to include all values
|
|
that they have been assigned; it is an error to reference a variable
|
|
-without setting at least one value.
|
|
+without setting at least one value. You can use empty quotes ("") to
|
|
+explicitly add an empty value.
|
|
|
|
At the time of this writing, the following variables are defined in the
|
|
provided AppArmor policy:
|
|
|
|
=== modified file 'profiles/apparmor.d/abstractions/base'
|
|
--- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000
|
|
+++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000
|
|
@@ -47,6 +47,7 @@
|
|
# ld.so.cache and ld are used to load shared libraries; they are best
|
|
# available everywhere
|
|
/etc/ld.so.cache mr,
|
|
+ /etc/ld.so.preload r,
|
|
/lib{,32,64}/ld{,32,64}-*.so mrix,
|
|
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
|
|
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
|
|
|
|
=== modified file 'profiles/apparmor.d/abstractions/dbus-session-strict'
|
|
--- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000
|
|
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000
|
|
@@ -17,6 +17,9 @@
|
|
type=stream
|
|
peer=(addr="@/tmp/dbus-*"),
|
|
|
|
+ # dbus with systemd and --enable-user-session
|
|
+ owner /run/user/[0-9]*/bus rw,
|
|
+
|
|
dbus send
|
|
bus=session
|
|
path=/org/freedesktop/DBus
|
|
|
|
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
|
|
--- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000
|
|
+++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000
|
|
@@ -33,14 +33,10 @@
|
|
/var/lib/sss/pipes/nss rw,
|
|
|
|
/etc/resolv.conf r,
|
|
- # on systems using resolvconf, /etc/resolv.conf is a symlink to
|
|
- # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
|
|
- # /etc/resolvconf/run/resolv.conf
|
|
- /{,var/}run/resolvconf/resolv.conf r,
|
|
+ # On systems where /etc/resolv.conf is managed programmatically, it is
|
|
+ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
|
|
+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
|
|
/etc/resolvconf/run/resolv.conf r,
|
|
- # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
|
|
- # /run/systemd/resolve/resolv.conf
|
|
- /{,var/}run/systemd/resolve/resolv.conf r,
|
|
|
|
/etc/samba/lmhosts r,
|
|
/etc/services r,
|
|
|
|
=== modified file 'profiles/apparmor.d/abstractions/samba'
|
|
--- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000
|
|
+++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000
|
|
@@ -10,6 +10,7 @@
|
|
# ------------------------------------------------------------------
|
|
|
|
/etc/samba/* r,
|
|
+ /usr/lib*/ldb/*.so mr,
|
|
/usr/share/samba/*.dat r,
|
|
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
|
|
/var/cache/samba/ w,
|
|
|
|
=== modified file 'profiles/apparmor.d/bin.ping'
|
|
--- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000
|
|
+++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000
|
|
@@ -18,6 +18,7 @@
|
|
capability net_raw,
|
|
capability setuid,
|
|
network inet raw,
|
|
+ network inet6 raw,
|
|
|
|
/{,usr/}bin/ping mixr,
|
|
/etc/modules.conf r,
|
|
|
|
=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
|
|
--- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000
|
|
+++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000
|
|
@@ -7,6 +7,7 @@
|
|
|
|
deny capability block_suspend,
|
|
|
|
+ capability dac_override,
|
|
capability ipc_lock,
|
|
capability setuid,
|
|
|
|
|
|
=== modified file 'tests/regression/apparmor/syscall_sysctl.sh'
|
|
--- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000
|
|
+++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000
|
|
@@ -149,8 +149,7 @@
|
|
# generally we want to encourage kernels to disable it, but if it's
|
|
# enabled we want to test against it
|
|
settest syscall_sysctl
|
|
-res=$(${test} ro)
|
|
-if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
|
|
+if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
|
|
echo " WARNING: syscall sysctl not implemented, skipping tests ..."
|
|
else
|
|
test_syscall_sysctl
|
|
|
|
=== modified file 'utils/aa-complain.pod'
|
|
--- utils/aa-complain.pod 2014-09-15 18:30:47 +0000
|
|
+++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000
|
|
@@ -41,6 +41,8 @@
|
|
In this mode security policy is not enforced but rather access violations
|
|
are logged to the system log.
|
|
|
|
+Note that 'deny' rules will be enforced even in complain mode.
|
|
+
|
|
=head1 BUGS
|
|
|
|
If you find any bugs, please report them at
|
|
|
|
=== modified file 'utils/aa-mergeprof'
|
|
--- utils/aa-mergeprof 2015-07-06 20:02:34 +0000
|
|
+++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000
|
|
@@ -1,6 +1,7 @@
|
|
#! /usr/bin/env python
|
|
# ----------------------------------------------------------------------
|
|
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
|
|
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
@@ -17,7 +18,7 @@
|
|
import os
|
|
|
|
import apparmor.aa
|
|
-from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes
|
|
+from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes
|
|
import apparmor.aamode
|
|
from apparmor.common import AppArmorException
|
|
from apparmor.regex import re_match_include
|
|
@@ -283,6 +284,9 @@
|
|
if not sev_db:
|
|
sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
|
|
|
|
+ sev_db.unload_variables()
|
|
+ sev_db.load_variables(get_profile_filename(profile))
|
|
+
|
|
for hat in sorted(other.aa[profile].keys()):
|
|
#Add the includes from the other profile to the user profile
|
|
done = False
|
|
|
|
=== modified file 'utils/apparmor/aa.py'
|
|
--- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000
|
|
+++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
|
|
@@ -1,6 +1,6 @@
|
|
# ----------------------------------------------------------------------
|
|
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
|
|
-# Copyright (C) 2014-2015 Christian Boltz <apparmor@cboltz.de>
|
|
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
@@ -557,8 +557,11 @@
|
|
inactive_profile[prof_name][prof_name].pop('filename')
|
|
profile_hash[uname]['username'] = uname
|
|
profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL'
|
|
- profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name)
|
|
+ profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None)
|
|
profile_hash[uname]['profile_data'] = inactive_profile
|
|
+
|
|
+ existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir
|
|
+
|
|
# If no profiles in repo and no inactive profiles
|
|
if not profile_hash.keys():
|
|
return None
|
|
@@ -579,18 +582,13 @@
|
|
|
|
q = aaui.PromptQuestion()
|
|
q.headers = ['Profile', prof_name]
|
|
- q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE',
|
|
- 'CMD_ABORT', 'CMD_FINISHED']
|
|
+ q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT']
|
|
q.default = "CMD_VIEW_PROFILE"
|
|
q.options = options
|
|
q.selected = 0
|
|
|
|
ans = ''
|
|
while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans:
|
|
- if ans == 'CMD_FINISHED':
|
|
- save_profiles()
|
|
- return
|
|
-
|
|
ans, arg = q.promptUser()
|
|
p = profile_hash[options[arg]]
|
|
q.selected = options.index(options[arg])
|
|
@@ -602,12 +600,13 @@
|
|
'profile_type': p['profile_type']
|
|
})
|
|
ypath, yarg = GetDataFromYast()
|
|
- #else:
|
|
- # pager = get_pager()
|
|
- # proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
|
|
+ else:
|
|
+ pager = get_pager()
|
|
+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
|
|
# proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
|
|
# (options[arg], p['profile']))
|
|
- # proc.kill()
|
|
+ proc.communicate(p['profile'].encode())
|
|
+ proc.kill()
|
|
elif ans == 'CMD_USE_PROFILE':
|
|
if p['profile_type'] == 'INACTIVE_LOCAL':
|
|
profile_data = p['profile_data']
|
|
@@ -658,6 +657,7 @@
|
|
if not profile_data:
|
|
profile_data = create_new_profile(pname)
|
|
file = get_profile_filename(pname)
|
|
+ profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename
|
|
attach_profile_data(aa, profile_data)
|
|
attach_profile_data(original_aa, profile_data)
|
|
if os.path.isfile(profile_dir + '/tunables/global'):
|
|
@@ -1095,7 +1095,7 @@
|
|
|
|
seen_events += 1
|
|
|
|
- ans = q.promptUser()
|
|
+ ans = q.promptUser()[0]
|
|
|
|
if ans == 'CMD_FINISHED':
|
|
save_profiles()
|
|
@@ -1105,7 +1105,9 @@
|
|
|
|
if ans == 'CMD_ADDHAT':
|
|
hat = uhat
|
|
+ aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat')
|
|
aa[profile][hat]['flags'] = aa[profile][profile]['flags']
|
|
+ changed[profile] = True
|
|
elif ans == 'CMD_USEDEFAULT':
|
|
hat = default_hat
|
|
elif ans == 'CMD_DENY':
|
|
@@ -1590,6 +1592,10 @@
|
|
UI_SelectUpdatedRepoProfile(profile, p)
|
|
|
|
found += 1
|
|
+
|
|
+ sev_db.unload_variables()
|
|
+ sev_db.load_variables(get_profile_filename(profile))
|
|
+
|
|
# Sorted list of hats with the profile name coming first
|
|
hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys())))
|
|
if log_dict[aamode][profile].get(profile, False):
|
|
@@ -2305,7 +2311,7 @@
|
|
reload_base(profile_name)
|
|
|
|
def get_pager():
|
|
- pass
|
|
+ return 'less'
|
|
|
|
def generate_diff(oldprofile, newprofile):
|
|
oldtemp = tempfile.NamedTemporaryFile('w')
|
|
@@ -2504,7 +2510,7 @@
|
|
except:
|
|
fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir)
|
|
|
|
- for file in os.listdir(profile_dir):
|
|
+ for file in os.listdir(extra_profile_dir):
|
|
if os.path.isfile(extra_profile_dir + '/' + file):
|
|
if is_skippable_file(file):
|
|
continue
|
|
|
|
=== modified file 'utils/apparmor/common.py'
|
|
--- utils/apparmor/common.py 2015-12-17 22:38:02 +0000
|
|
+++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000
|
|
@@ -245,11 +245,12 @@
|
|
return False
|
|
return True
|
|
|
|
+if sys.version_info[0] > 2:
|
|
+ unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str.
|
|
+
|
|
def type_is_str(var):
|
|
''' returns True if the given variable is a str (or unicode string when using python 2)'''
|
|
- if type(var) == str:
|
|
- return True
|
|
- elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type
|
|
+ if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
=== modified file 'utils/apparmor/logparser.py'
|
|
--- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000
|
|
+++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000
|
|
@@ -133,7 +133,7 @@
|
|
ev['denied_mask'] = event.denied_mask
|
|
ev['request_mask'] = event.requested_mask
|
|
ev['magic_token'] = event.magic_token
|
|
- if ev['operation'] and self.op_type(ev['operation']) == 'net':
|
|
+ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol):
|
|
ev['family'] = event.net_family
|
|
ev['protocol'] = event.net_protocol
|
|
ev['sock_type'] = event.net_sock_type
|
|
@@ -278,7 +278,7 @@
|
|
self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile'])
|
|
|
|
elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or
|
|
- e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src',
|
|
+ e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src',
|
|
'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link',
|
|
'sysctl', 'getattr', 'setattr', 'xattr'] ):
|
|
|
|
@@ -289,6 +289,13 @@
|
|
self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e)
|
|
return None
|
|
|
|
+ # sometimes network events come with an e['operation'] that matches the list of file operations
|
|
+ # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
|
|
+ # XXX these events are network events, so we should map them as such
|
|
+ if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
|
|
+ self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
|
|
+ return None
|
|
+
|
|
# Map c (create) and d (delete) to w (logging is more detailed than the profile language)
|
|
rmask = e['request_mask']
|
|
rmask = rmask.replace('c', 'w')
|
|
|
|
=== modified file 'utils/apparmor/rule/__init__.py'
|
|
--- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000
|
|
+++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000
|
|
@@ -312,10 +312,13 @@
|
|
|
|
# delete rules that are covered by include files
|
|
if include_rules:
|
|
- for rule in self.rules:
|
|
- if include_rules.is_covered(rule, True, True):
|
|
- self.delete(rule)
|
|
+ oldrules = self.rules
|
|
+ self.rules = []
|
|
+ for rule in oldrules:
|
|
+ if include_rules.is_covered(rule, True, False):
|
|
deleted += 1
|
|
+ else:
|
|
+ self.rules.append(rule)
|
|
|
|
# de-duplicate rules inside the profile
|
|
deleted += self.delete_in_profile_duplicates()
|
|
|
|
=== modified file 'utils/test/test-capability.py'
|
|
--- utils/test/test-capability.py 2015-11-23 23:22:37 +0000
|
|
+++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000
|
|
@@ -817,7 +817,6 @@
|
|
inc.add(CapabilityRule.parse(rule))
|
|
|
|
expected_raw = [
|
|
- ' allow capability sys_admin,', # XXX huh? should be deleted!
|
|
' deny capability chgrp, # example comment',
|
|
'',
|
|
]
|
|
@@ -825,11 +824,9 @@
|
|
expected_clean = [
|
|
' deny capability chgrp, # example comment',
|
|
'',
|
|
- ' allow capability sys_admin,', # XXX huh? should be deleted!
|
|
- '',
|
|
]
|
|
|
|
- self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
|
|
+ self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
|
|
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
|
|
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
|
|
|
|
|