apparmor/changes-since-2.10.1--r3326..3346.diff
Christian Boltz cc896b26e3 Accepting request 423291 from home:cboltz
- add changes-since-2.10.1--r3326..3346.diff with upstream changes and
  fixes since the 2.10.1 release, including
  - allow dac_override in winbindd profile (boo#990006#c5)
  - allow mr for /usr/lib*/ldb/*.so in samba abstractions (needed since
    Samba 4.4.x, boo#990006)
  - abstractions/nameservice: also support ConnMan-managed resolv.conf
  - let aa-genprof ask about profiles in extra dir (again)
  - fix aa-logprof "add hat" endless loop (lp#1538306)
  - honor 'chown' file events in logparser.py
  - ignore log file events with a request mask of 'send' or 'receive'
    because they are actually network events (lp#1577051, lp#1582374)
  - accept hostname with dots when parsing logs (lp#1453300 comments #1 and #2)
- fix python LibAppArmor import failures with swig > 3.0.8 (boo#987607)
  (libapparmor-fix-import-path.diff)
- refresh apparmor-abstractions-no-multiline.diff
- drop upstreamed profiles-ping-inet6-r3449.diff
- add %check section - runs libapparmor (including swig bindings),
  parser and profiles tests
- add BuildRequires: perl(Locale::gettext) - needed for parser tests

OBS-URL: https://build.opensuse.org/request/show/423291
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=152
2016-08-26 22:07:45 +00:00

876 lines
35 KiB
Diff

------------------------------------------------------------
revno: 3346
behebt den Fehler: https://launchpad.net/bugs/1538306
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-08-15 22:06:47 +0200
message:
Fix aa-logprof "add hat" endless loop
This turned out to be a simple case of misinterpreting the promptUser()
result - it returns the answer and the selected option, and
"surprisingly" something like
('CMD_ADDHAT', 0)
never matched
'CMD_ADDHAT'
;-)
I also noticed that the new hat doesn't get initialized as
profile_storage(), and that the changed profile doesn't get marked as
changed. This is also fixed by this patch.
References: https://bugs.launchpad.net/apparmor/+bug/1538306
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3345
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Fri 2016-08-12 12:02:43 +0200
message:
type_is_str(): make pyflakes3 happy
pyflakes3 doesn't check sys.version and therefore complains about
'unicode' being undefined.
This patch defines unicode as alias of str to make pyflakes3 happy, and
as a side effect, simplifies type_is_str().
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
------------------------------------------------------------
revno: 3344
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-08-08 23:16:12 +0200
message:
delete_duplicates(): don't modify self.rules while looping over it
By calling self.delete() inside the delete_duplicates() loop, the
self.rules list was modified. This resulted in some rules not being
checked and therefore (some, not all) superfluous rules not being
removed.
This patch switches to a temporary variable to loop over, and rebuilds
self.rules with the rules that are not superfluous.
This also fixes some strange issues already marked with a "Huh?" comment
in the tests.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
therefore the cleanprof_test.out change doesn't make sense for 2.10.
------------------------------------------------------------
revno: 3343
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-08-03 21:53:06 +0200
message:
winbindd profile: allow dac_override
This is needed to delete kerberos ccache files, for details see
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3342
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-07-31 17:15:42 +0200
message:
logparser: store network-related params if an event looks like network
Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.
This fixes the test failure introduced in my last commit.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3341
behebt den Fehler: https://launchpad.net/bugs/1577051
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sat 2016-07-30 00:44:18 +0200
message:
logparser.py: ignore network events with 'send receive'
We already ignore network events that look like file events (based on
the operation keyword) if they have a request_mask of 'send' or
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
It turned out that both can happen at once, so we should also ignore
this case.
Also add the now-ignored log event as test_multi testcase.
References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3340
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Fri 2016-07-29 11:46:16 -0700
message:
add ld.so.preload to <abstractions/base>, thanks to Uzair Shamim
------------------------------------------------------------
revno: 3339
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Tue 2016-07-26 21:13:49 +0200
message:
Allow mr for /usr/lib*/ldb/*.so in samba abstractions
This is needed for winbindd (since samba 4.4.x), but smbd could also need it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3338
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Fri 2016-06-24 10:36:42 -0700
message:
intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo.
------------------------------------------------------------
revno: 3337
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-06-22 15:15:42 -0700
message:
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 21 Jun 2016 18:18:45 +0100
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf
Follow the same logic we already did for NetworkManager,
resolvconf and systemd-resolved. The wonderful thing about
standards is that there are so many to choose from.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[modified by sarnold to fit the surroundings]
------------------------------------------------------------
revno: 3336
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-06-05 23:43:55 +0200
message:
Add a note about still enforcing deny rules to aa-complain manpage
This behaviour makes sense (for example to force the confined program to
use a fallback path), but is probably surprising for users, so we should
document it.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3335
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-06-05 20:07:33 +0200
message:
honor 'chown' file events in logparser.py
Also add a testcase to libapparmor's log collection
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3334
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-06-01 21:06:25 +0200
message:
aa-genprof: ask about profiles in extra dir (again)
Thanks to reading the wrong directory in read_inactive_profiles()
(profile_dir instead of extra_profile_dir), aa-genprof never asked about
using a profile from the extra_profile_dir.
Sounds like an easy fix, right? ;-)
After fixing this (last chunk), several other errors popped up, one
after the other:
- get_profile() missed a required parameter in a serialize_profile() call
- when saving the profile, it was written to extra_profile_dir, not to
profile_dir where it (as a now-active profile) should be. This is
fixed by removing the filename from existing_profiles{} so that it can
pick up the default name.
- CMD_FINISHED (when asking if the extra profile should be used or a new
one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising
for the user. Remove it to avoid confusion.
- displaying the extra profile was only implemented in YaST mode
- get_pager() returned None, not an actual pager. Since we have 'less'
hardcoded at several places, also return it in get_pager()
Finally, also remove CMD_FINISHED from the get_profile() test in
test-translations.py.
(test-translations.py is only in trunk, therefore this part of the patch
is obviously trunk-only.)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk
Acked-by: John Johansen <john.johansen@canonical.com> for trunk + a 50% ACK for 2.10 and 2.9
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3333
behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-05-23 23:32:23 +0200
message:
Ignore file events with a request mask of 'send' or 'receive'
Those events are actually network events, so ideally we should map them
as such. Unfortunately this requires bigger changes, so here is a hotfix
that ignores those events and thus avoids crashing aa-logprof.
References: https://bugs.launchpad.net/apparmor/+bug/1577051
https://bugs.launchpad.net/apparmor/+bug/1582374
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3332
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sun 2016-05-22 14:51:55 +0200
message:
Document empty quotes ("") as empty value of a variable
Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches where this makes sense :)
------------------------------------------------------------
revno: 3331
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-05-18 21:18:34 +0200
message:
allow inet6 in ping profile
The latest iputils merged ping and ping6 into a single binary that does
both IPv4 and IPv6 pings (by default, it really does both).
This means we need to allow network inet6 raw in the ping profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596
(contains more details and example output)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3330
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-05-11 17:23:22 -0700
message:
dbus-session-strict: allow access to the user bus socket
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 4 May 2016 13:48:36 +0100
Subject: dbus-session-strict: allow access to the user bus socket
If dbus is configured with --enable-user-bus (for example in the
dbus-user-session package in Debian and its derivatives), and the user
session is started with systemd, then the "dbus-daemon --session" will be
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
on systems where dbus-daemon has been replaced with kdbus, the
bridge/proxy used to provide compatibility with the traditional D-Bus
protocol listens on that same socket.
In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
where $uid represents the numeric uid. I have not used /{var/,}run here,
because systemd does not support configurations where /var/run and /run
are distinct; in practice, /var/run is a symbolic link.
Based on a patch by Sjoerd Simons, which originally used the historical
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
user-session-units git repository, but has never been used in a released
version of dbus and should be considered unsupported.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
------------------------------------------------------------
revno: 3329
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-05-11 16:30:29 -0700
message:
syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 11 May 2016 13:52:56 +0100
Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
This test attempts to auto-skip the sysctl() part if that syscall
was not compiled into the current kernel, via
CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work,
for two reasons:
* Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if",
and it had nonzero exit status, the trap on ERR was triggered,
causing execution of the error_handler() shell function, which
aborts the test with a failed status. The rules for ERR are the
same as for "set -e", so we can circumvent it in the same ways.
* Because sysctl_syscall.c prints its diagnostic message to stderr,
but the $() operator only captures stdout, it never matched
in the string comparison. This is easily solved by redirecting
its stderr to stdout.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
------------------------------------------------------------
revno: 3328
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Tue 2016-05-10 14:34:40 +0200
message:
load variables in ask_the_questions()
Variables can be used in several rule types (from the existing *Rule
classes: change_profile, dbus, ptrace, signal). It seems nobody uses
variables with those rules, otherwise we'd have received a bugreport ;-)
I noticed this while working on FileRule, where usage of variables is
more common. The file code in bzr (not using a *Rule class) already
loads the variables, so old versions don't need changes for file rule
handling.
However, 2.10 already has ChangeProfileRule and therefore also needs
this fix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
------------------------------------------------------------
revno: 3327
behebt den Fehler: https://launchpad.net/bugs/1453300
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Thu 2016-05-05 12:02:11 +0200
message:
accept hostname with dots
Some people have the full hostname in their syslog messages, so
libapparmor needs to accept hostnames that contain dots.
References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments
#1 and #2 (the log samples reported by scrx in #apparmor)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3326
tags: apparmor_2.10.1
committer: John Johansen <john.johansen@canonical.com>
branch nick: 2.10
timestamp: Wed 2016-04-20 02:07:34 -0700
message:
common/Version: prepare for 2.10.1 release
=== modified file 'changehat/mod_apparmor/mod_apparmor.pod'
--- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000
+++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000
@@ -65,7 +65,7 @@
AAHatName allows you to specify a hat to be used for a given Apache
E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or
-E<lt>LocationMatchE<gt> directive (see the Apache documenation for more
+E<lt>LocationMatchE<gt> directive (see the Apache documentation for more
details). Note that mod_apparmor behavior can become confused if
E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled
and it is recommended to use one type of directive. If the hat specified by
=== modified file 'libraries/libapparmor/src/scanner.l'
--- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000
+++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000
@@ -178,7 +178,7 @@
hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2}
timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2}
syslog_time {hhmmss}({period}{digits})?{timezone}?
-syslog_hostname [[:alnum:]_-]+
+syslog_hostname [[:alnum:]._-]+
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
%x single_quoted_string
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in'
--- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000
@@ -0,0 +1,1 @@
+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out'
--- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000
@@ -0,0 +1,15 @@
+START
+File: file_chown.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1465133533.431:728
+Operation: chown
+Mask: w
+Denied Mask: w
+fsuid: 0
+ouid: 4
+Profile: /usr/sbin/cupsd
+Name: /run/cups/certs/
+Command: cupsd
+PID: 8515
+Epoch: 1465133533
+Audit subid: 728
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in'
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000
@@ -0,0 +1,1 @@
+Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110
=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out'
--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000
@@ -0,0 +1,15 @@
+START
+File: syslog_hostname_with_dot.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1442256553.643:40143
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 110
+Profile: /opt/evoke/venv/bin/gunicorn
+Name: /opt/evoke/venv/lib/python2.7/warnings.pyc
+Command: gunicorn
+PID: 28943
+Epoch: 1442256553
+Audit subid: 40143
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000
@@ -0,0 +1,1 @@
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"
=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000
@@ -0,0 +1,19 @@
+START
+File: testcase_network_send_receive.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1469785325.122:21021
+Operation: file_inherit
+Mask: send receive
+Denied Mask: send receive
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
+Command: sh
+PID: 18239
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.10.3
+Foreign addr: 54.153.70.241
+Local port: 50758
+Foreign port: 443
+Epoch: 1469785325
+Audit subid: 21021
=== modified file 'parser/apparmor.d.pod'
--- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000
+++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000
@@ -1234,7 +1234,8 @@
The parser will automatically expand variables to include all values
that they have been assigned; it is an error to reference a variable
-without setting at least one value.
+without setting at least one value. You can use empty quotes ("") to
+explicitly add an empty value.
At the time of this writing, the following variables are defined in the
provided AppArmor policy:
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000
+++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000
@@ -47,6 +47,7 @@
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
/etc/ld.so.cache mr,
+ /etc/ld.so.preload r,
/lib{,32,64}/ld{,32,64}-*.so mrix,
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
=== modified file 'profiles/apparmor.d/abstractions/dbus-session-strict'
--- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000
@@ -17,6 +17,9 @@
type=stream
peer=(addr="@/tmp/dbus-*"),
+ # dbus with systemd and --enable-user-session
+ owner /run/user/[0-9]*/bus rw,
+
dbus send
bus=session
path=/org/freedesktop/DBus
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000
@@ -33,14 +33,10 @@
/var/lib/sss/pipes/nss rw,
/etc/resolv.conf r,
- # on systems using resolvconf, /etc/resolv.conf is a symlink to
- # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
- # /etc/resolvconf/run/resolv.conf
- /{,var/}run/resolvconf/resolv.conf r,
+ # On systems where /etc/resolv.conf is managed programmatically, it is
+ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
- # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
- # /run/systemd/resolve/resolv.conf
- /{,var/}run/systemd/resolve/resolv.conf r,
/etc/samba/lmhosts r,
/etc/services r,
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000
+++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000
@@ -10,6 +10,7 @@
# ------------------------------------------------------------------
/etc/samba/* r,
+ /usr/lib*/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
=== modified file 'profiles/apparmor.d/bin.ping'
--- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000
+++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000
@@ -18,6 +18,7 @@
capability net_raw,
capability setuid,
network inet raw,
+ network inet6 raw,
/{,usr/}bin/ping mixr,
/etc/modules.conf r,
=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000
+++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000
@@ -7,6 +7,7 @@
deny capability block_suspend,
+ capability dac_override,
capability ipc_lock,
capability setuid,
=== modified file 'tests/regression/apparmor/syscall_sysctl.sh'
--- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000
+++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000
@@ -149,8 +149,7 @@
# generally we want to encourage kernels to disable it, but if it's
# enabled we want to test against it
settest syscall_sysctl
-res=$(${test} ro)
-if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
+if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
echo " WARNING: syscall sysctl not implemented, skipping tests ..."
else
test_syscall_sysctl
=== modified file 'utils/aa-complain.pod'
--- utils/aa-complain.pod 2014-09-15 18:30:47 +0000
+++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000
@@ -41,6 +41,8 @@
In this mode security policy is not enforced but rather access violations
are logged to the system log.
+Note that 'deny' rules will be enforced even in complain mode.
+
=head1 BUGS
If you find any bugs, please report them at
=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof 2015-07-06 20:02:34 +0000
+++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000
@@ -1,6 +1,7 @@
#! /usr/bin/env python
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -17,7 +18,7 @@
import os
import apparmor.aa
-from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes
+from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes
import apparmor.aamode
from apparmor.common import AppArmorException
from apparmor.regex import re_match_include
@@ -283,6 +284,9 @@
if not sev_db:
sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
+ sev_db.unload_variables()
+ sev_db.load_variables(get_profile_filename(profile))
+
for hat in sorted(other.aa[profile].keys()):
#Add the includes from the other profile to the user profile
done = False
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000
+++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
@@ -1,6 +1,6 @@
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-# Copyright (C) 2014-2015 Christian Boltz <apparmor@cboltz.de>
+# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -557,8 +557,11 @@
inactive_profile[prof_name][prof_name].pop('filename')
profile_hash[uname]['username'] = uname
profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL'
- profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name)
+ profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None)
profile_hash[uname]['profile_data'] = inactive_profile
+
+ existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir
+
# If no profiles in repo and no inactive profiles
if not profile_hash.keys():
return None
@@ -579,18 +582,13 @@
q = aaui.PromptQuestion()
q.headers = ['Profile', prof_name]
- q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE',
- 'CMD_ABORT', 'CMD_FINISHED']
+ q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT']
q.default = "CMD_VIEW_PROFILE"
q.options = options
q.selected = 0
ans = ''
while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans:
- if ans == 'CMD_FINISHED':
- save_profiles()
- return
-
ans, arg = q.promptUser()
p = profile_hash[options[arg]]
q.selected = options.index(options[arg])
@@ -602,12 +600,13 @@
'profile_type': p['profile_type']
})
ypath, yarg = GetDataFromYast()
- #else:
- # pager = get_pager()
- # proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
+ else:
+ pager = get_pager()
+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
# proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
# (options[arg], p['profile']))
- # proc.kill()
+ proc.communicate(p['profile'].encode())
+ proc.kill()
elif ans == 'CMD_USE_PROFILE':
if p['profile_type'] == 'INACTIVE_LOCAL':
profile_data = p['profile_data']
@@ -658,6 +657,7 @@
if not profile_data:
profile_data = create_new_profile(pname)
file = get_profile_filename(pname)
+ profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename
attach_profile_data(aa, profile_data)
attach_profile_data(original_aa, profile_data)
if os.path.isfile(profile_dir + '/tunables/global'):
@@ -1095,7 +1095,7 @@
seen_events += 1
- ans = q.promptUser()
+ ans = q.promptUser()[0]
if ans == 'CMD_FINISHED':
save_profiles()
@@ -1105,7 +1105,9 @@
if ans == 'CMD_ADDHAT':
hat = uhat
+ aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat')
aa[profile][hat]['flags'] = aa[profile][profile]['flags']
+ changed[profile] = True
elif ans == 'CMD_USEDEFAULT':
hat = default_hat
elif ans == 'CMD_DENY':
@@ -1590,6 +1592,10 @@
UI_SelectUpdatedRepoProfile(profile, p)
found += 1
+
+ sev_db.unload_variables()
+ sev_db.load_variables(get_profile_filename(profile))
+
# Sorted list of hats with the profile name coming first
hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys())))
if log_dict[aamode][profile].get(profile, False):
@@ -2305,7 +2311,7 @@
reload_base(profile_name)
def get_pager():
- pass
+ return 'less'
def generate_diff(oldprofile, newprofile):
oldtemp = tempfile.NamedTemporaryFile('w')
@@ -2504,7 +2510,7 @@
except:
fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir)
- for file in os.listdir(profile_dir):
+ for file in os.listdir(extra_profile_dir):
if os.path.isfile(extra_profile_dir + '/' + file):
if is_skippable_file(file):
continue
=== modified file 'utils/apparmor/common.py'
--- utils/apparmor/common.py 2015-12-17 22:38:02 +0000
+++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000
@@ -245,11 +245,12 @@
return False
return True
+if sys.version_info[0] > 2:
+ unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str.
+
def type_is_str(var):
''' returns True if the given variable is a str (or unicode string when using python 2)'''
- if type(var) == str:
- return True
- elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type
+ if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type
return True
else:
return False
=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000
+++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000
@@ -133,7 +133,7 @@
ev['denied_mask'] = event.denied_mask
ev['request_mask'] = event.requested_mask
ev['magic_token'] = event.magic_token
- if ev['operation'] and self.op_type(ev['operation']) == 'net':
+ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol):
ev['family'] = event.net_family
ev['protocol'] = event.net_protocol
ev['sock_type'] = event.net_sock_type
@@ -278,7 +278,7 @@
self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile'])
elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or
- e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src',
+ e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src',
'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link',
'sysctl', 'getattr', 'setattr', 'xattr'] ):
@@ -289,6 +289,13 @@
self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e)
return None
+ # sometimes network events come with an e['operation'] that matches the list of file operations
+ # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374
+ # XXX these events are network events, so we should map them as such
+ if 'send' in e['request_mask'] or 'receive' in e['request_mask']:
+ self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e)
+ return None
+
# Map c (create) and d (delete) to w (logging is more detailed than the profile language)
rmask = e['request_mask']
rmask = rmask.replace('c', 'w')
=== modified file 'utils/apparmor/rule/__init__.py'
--- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000
+++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000
@@ -312,10 +312,13 @@
# delete rules that are covered by include files
if include_rules:
- for rule in self.rules:
- if include_rules.is_covered(rule, True, True):
- self.delete(rule)
+ oldrules = self.rules
+ self.rules = []
+ for rule in oldrules:
+ if include_rules.is_covered(rule, True, False):
deleted += 1
+ else:
+ self.rules.append(rule)
# de-duplicate rules inside the profile
deleted += self.delete_in_profile_duplicates()
=== modified file 'utils/test/test-capability.py'
--- utils/test/test-capability.py 2015-11-23 23:22:37 +0000
+++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000
@@ -817,7 +817,6 @@
inc.add(CapabilityRule.parse(rule))
expected_raw = [
- ' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
@@ -825,11 +824,9 @@
expected_clean = [
' deny capability chgrp, # example comment',
'',
- ' allow capability sys_admin,', # XXX huh? should be deleted!
- '',
]
- self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
+ self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))