pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a56c5e56bc
apparmor/changes-since-2.13.4.diff
Christian Boltz 15e585724c Accepting request 807998 from home:cboltz 
- add changes-since-2.13.4.diff with upstream changes and fixes
  since 2.13.4 up to 5f61bd4c:
  - add several abstractions related to xdg-open:
    dbus-network-manager-strict, exo-open, gio-open, gvfs-open,
    kde-open5, xdg-open
  - introduce @{run} variable
  - update dnsmasq and winbindd profile
  - update mdns, mesa and nameservice abstraction
  - some bugfixes in the aa-* tools, including a remote bugfix in the
    YaST AppArmor module (boo#1171315)
- drop upstream(ed) patches (now part of changes-since-2.13.4.diff):
  - make-4.3-capabilities.diff
  - make-4.3-capabilities-vim.diff
  - make-4.3-fix-utils-network-test.diff
  - make-4.3-network.diff
  - abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
- apply usr-etc-abstractions-base-nameservice.diff only for
  Tumbleweed, but not for Leap 15.x where it's not needed
- refresh usr-etc-abstractions-base-nameservice.diff

OBS-URL: https://build.opensuse.org/request/show/807998
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=266
2020-05-21 13:33:21 +00:00

1603 lines
60 KiB
Diff
Raw Blame History

commit 5f61bd4cf2c84c25ab5b106c4e58bc490dfa0ac2
Merge: e038123f 72c2a7d2
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Wed May 20 19:23:21 2020 +0000
Merge branch 'cboltz-2.13-collapse-log' into 'apparmor-2.13'
[2.12+2.13] collapse_log(): avoid accidently initializing aa[profile]
See merge request apparmor/apparmor!539
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
commit 72c2a7d2de6a86ecb7a4bab0f5b25052f4aca3bf
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed May 20 20:06:27 2020 +0200
collapse_log(): avoid accidently initializing aa[profile]
... or calling is_known_rule() on events for non-existing hats.
It's the usual hasher() "fun" again - accessing a non-existing element
will create its parent.
In theory this commit might be worth a backport. In practise, it doesn't cause
any visible problem.
However, starting with the next commit, it will cause lots of test errors.
Also add a missing is_known_rule() call for dbus rules, which might have
caused similar hasher() "fun".
(Backported from 9f1b2f4014ef27c5e7a17acadd03221387bb9809)
commit e038123f8f1d31cc5d1ff639e06342357ca0d094
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Tue May 12 19:43:44 2020 +0000
Merge branch 'cboltz-fail-verbose' into 'master'
read_profile(): don't fail silently
See merge request apparmor/apparmor!530
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit e0f9b7cb0760a16a4691baf771d17d5b8d6f2ee2)
af8b9dc5 read_profile(): don't fail silently
commit 28411030392ec372728d0f489e5573b11407a67e
Author: nl6720 <nl6720@gmail.com>
Date: Thu Feb 20 10:40:22 2020 +0200
profiles: add trailing slash to the run variable definition
Merge request apparmor/apparmor!466 (454fca7483eae) pulled back the
@{run} variable definition from apparmor/apparmor!454 (452b5b8735e4)
to the 2.13 and 2.12 branches, to make backporting profile changes
easier. However, it did not include the followup fix to the @{run}
definition to include trailing slashes to ensure they are treated as
directories (apparmor/apparmor!456 ef591a67cedc).
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit ef591a67cedc1da0676b26448ea96fa8c073c253)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/533
commit 0e89e79a324c42945ca097fb2fb132f2c25c3afe
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Sun May 10 22:54:34 2020 +0000
Merge branch 'cboltz-vim-alias' into 'master'
apparmor.vim: allow leading whitespace for alias rules
See merge request apparmor/apparmor!527
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit ae70ecfbaafd2d2b18f51fe16e4107f861c2d8af)
c636580f apparmor.vim: allow leading whitespace for alias rules
commit 0ad7109eea32467b274426be771adeea7276d9d4
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Thu May 7 17:59:06 2020 +0000
Merge branch 'cboltz-less-shell' into 'master'
less shell ;-)
See merge request apparmor/apparmor!520
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6b55794074fb4e74a1e28b3eb1d1b97c2be1c06e)
48bae9e3 less shell ;-)
commit eb5185c96193e1370d06e46297289deea8aa3588
Merge: 6c638c97 da07cdf7
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Thu May 7 10:18:12 2020 +0000
Merge branch 'cboltz-2.13-genprof-fix-json' into 'apparmor-2.13'
[2.11..2.13] Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!516
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.12 and 2.13
commit da07cdf79c5643878712e5a6e0fb6d7aadf71c61
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed May 6 23:20:07 2020 +0200
Fix showing the local inactive profile in json mode
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
(cherry picked from commit 68a258b0064d98c376631fa27904a5be1a2e0044)
(cherry picked from commit cb95e9a2568b19e2e7601c0af363e0605a6889d9)
commit 6e9dd6494b628639620523f48aeaf2aceed11584
Author: Christian Boltz <apparmor@cboltz.de>
Date: Thu May 7 01:06:05 2020 +0200
Split off UI_ShowFile() from UI_Changes
UI_ShowFile() is more generic and can be used to display various (text)
files, not only diffs.
(cherry picked from commit bb3803b931683c841768ba6256c29e16bebd2eeb,
adjusted for 2.13 branch)
commit 6c638c97c528bb062f6c84a511340413a217e742
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Sun May 3 19:27:57 2020 +0000
Merge branch 'cboltz-vim-if-exists' into 'master'
apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit a4864146e2d5b39bdc9635507f784fb5a268212b)
efa7c6d6 apparmor.vim: support 'include if exists'
commit b3dff41eb70eaf702467723d447c6893ef6f06c5
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Sun Apr 26 11:43:14 2020 +0000
Merge branch 'privacy' into 'master'
Privacy statement
See merge request apparmor/apparmor!441
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 4281b58c896c79294c813e6b6a36d05b1cdb0298)
bfde89a6 infrastructure: Add privacy statement to the README
commit cca58df6f52dc047857bdc2e7836b19a349fc177
Author: John Johansen <john@jjmx.net>
Date: Sun Apr 26 09:45:04 2020 +0000
Merge Fixings for crosscompilation
This series adds a couple of patches to make the software more crosscompilation friendly. They are based on the work I'm doing to fix the package on buildroot
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/485
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9ba2334423cccc811c0e59e3af604f06631a3d4f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 95b75a628a93e4ef1493b0be31968f4a3f13ff18
Author: Daniel Gerber <dger@gitlab.notspecified>
Date: Mon Apr 20 16:47:11 2020 -0700
fix fails to load profiles in busybox with:
egrep: bad regex '^/.[ \t]+flags[ \t]=[ \t]*([ \t]complain[ \t])[ \t]+{': Invalid contents of {}
Note the final non-escaped {.
The issue is not present any more in branch master.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/80
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit ddb747c0a9a39d00c2f55fa0e182d6b61ff1c5a8
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Sun Apr 12 09:45:12 2020 +0000
Merge branch 'profile-usr.sbin.dnsmasq' into 'master'
usr.sbin.dnsmasq: update to support dnsmasq 2.81
See merge request apparmor/apparmor!475
Acked-by: Christian Boltz for 2.11..master
(cherry picked from commit acafe9de826f7f9292fa0e7e8c3fc2a2c41d265a)
88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81
commit 01841ade3a96ba372d78bbdca8c3c4ac61364afd
Author: John Johansen <john@jjmx.net>
Date: Wed Apr 8 08:34:41 2020 +0000
Merge Better error handling when creating apparmor.vim
See the individual commits for details and bug references.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/472
Acked-by: John Johansen <john.johansen@canonical.com>
commit e02a0170141317df624a282195286733a298634e
Merge: dda6825f 0b31930b
Author: John Johansen <john@jjmx.net>
Date: Fri Apr 3 01:47:03 2020 +0000
Merge Backport xdg open
@Talkless requested xdg-open and friends be cherry-picked into 2.13
This is the set of commits (and fixes) to do that without modifying them.
We could drop backporting dbus-strict by modifying both the adding missing .d dirs, and add xdg-open and friends patches.
This series does not currently include the make check test and its fixes for the .d directories, as they were not required but we may want to include them to catch any potential errors.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/471
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 0b31930b3b8a2fe6be97079fb0807d2498397e6f
Author: John Johansen <john@jjmx.net>
Date: Tue Mar 31 23:05:51 2020 +0000
Merge exo-open: allow reading ~/.local/share/xfce4/helpers/*.desktop
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/73
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/467
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b2d0d87ebac183895adef679be3904b8fc923e66)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit b9af6564a557f2dfe0ed0c84c7c08f4faea884e4
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Tue Feb 11 20:31:41 2020 +0000
Merge branch 'cboltz-exoopen-local' into 'master'
Add #include if exists <*.d> to new abstractions
See merge request apparmor/apparmor!453
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit 962f1e7a7b1e2e97bfc6c42173b494b5609b0f29)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 632fb92bc5464ceccbc6e71ccb55d052673c9a4c
Author: John Johansen <john@jjmx.net>
Date: Mon Feb 3 21:32:21 2020 +0000
Add xdg-open (and friends) abstraction
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 79e942bf2a8ac00d33034edf34cfccc46c0bea3a
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Mon Jan 27 19:42:45 2020 +0000
Merge branch 'cboltz-abstractions-missing-include' into 'master'
add missing *.d include to dbus-network-manager-strict abstraction
See merge request apparmor/apparmor!448
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit eae474bb5c75129a9c5d0d02b1edf30636794900)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit c046bc83dc7ac0e2c3486d65ee07353687f79868
Author: John Johansen <john@jjmx.net>
Date: Wed Nov 27 18:01:42 2019 +0000
Add dbus-network-manager-strict abstraction
Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.
Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/409
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a10fa57fb6274d32763d9df8e3051f6c45543776)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit dda6825ff2c268d582afe0ba7faf00ed2d525929
Author: Rich McAllister <Nopublic@address.provided>
Date: Tue Mar 31 21:01:21 2020 -0700
abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3)
commit 92f6679da99152c9c1557ba5adade19ea1b4ee4f
Merge: 03acdebf af0c288f
Author: John Johansen <john@jjmx.net>
Date: Tue Mar 31 22:05:47 2020 +0000
Merge [2.13] fix build with make 4.3
his MR backports the patches for make 4.3 compability to the 2.13 branch.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/74
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1167953
Acked-by: John Johansen <john.johansen@canonical.com>
commit 03acdebf071eba06f60ccbc33218a06367f6874f
Merge: 1f319c38 454fca74
Author: John Johansen <john@jjmx.net>
Date: Tue Mar 31 21:59:34 2020 +0000
Merge [2.12 + 2.13] Add "run" variable
Define the "run" variable in 2.12 and 2.13 to make backporting profile updates easier.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/88
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/466
Acked-by: John Johansen <john.johansen@canonical.com>
commit 1f319c3870287b9a2cfa39e92344c9d35875b811
Author: nl6720 <nl6720@gmail.com>
Date: Thu Mar 19 12:05:44 2020 +0200
abstractions/nameservice: allow accessing /run/systemd/userdb/
On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
Signed-off-by: nl6720 <nl6720@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 411af09c9701004f7c7ff9d3fadb170c1a62e306
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Tue Mar 31 19:49:26 2020 +0000
Merge branch 'mesa-20.0' into 'master'
abstractions/mesa: allow checking if the kernel supports the i915 perf interface
See merge request apparmor/apparmor!464
Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit f56bab3f75dfbdfc9456628a392cabbb985a44bb)
61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface
commit 454fca7483eae7b7ee613343c2c02abaa20e37e3
Author: nl6720 <nl6720@gmail.com>
Date: Thu Feb 13 09:58:33 2020 +0200
Add "run" variable
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)
commit af0c288fcd4b9ddbf3a062d6d0e1c9618e8f3c75
Author: Christian Boltz <apparmor@cboltz.de>
Date: Sun Mar 29 00:07:11 2020 +0100
fix capabilities in apparmor.vim
https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
capabilities to use a script.
A side effect is that the list is now separated by \n instead of
spaces. Adjust create-apparmor.vim.py to the new output.
(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)
commit 0d8e4cda3fb5194b82e288cadbcce98998064b7a
Author: allgdante <allan.garret@gmail.com>
Date: Mon Mar 23 15:09:15 2020 +0000
Generate CAPABILITIES in a script due to make 4.3
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
commit 69651fc6565cf033ab763a607d786eb14143b7c6
Author: John Johansen <john.johansen@canonical.com>
Date: Fri Jun 14 01:04:22 2019 -0700
Revert "utils/test-network.py: fix failing testcase"
This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
this commit was meant for the 2.13 branch not master
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)
commit fc2beaca9d642fb93736066f26e3588ad30ec7a4
Author: Eric Chiang <ericchiang@google.com>
Date: Thu Jan 17 11:02:57 2019 -0800
*: ensure make apparmor_parser is cached
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
commit 5972adc7e30c958bae36278751e218c35799106e
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Mon Mar 23 20:14:27 2020 +0000
Merge branch 'master' into 'master'
Update usr.sbin.winbindd profile to allow krb5 rcache files locking
See merge request apparmor/apparmor!460
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 5c1932d0d634ee693b513f79fabe56c85d4c7f5f)
2c3001c7 Update usr.sbin.winbindd profile to allow krb5 rcache files locking
commit 2e2529bae81b0858d5f25c3d6f886fa3eba3f502
Author: Christian Boltz <apparmor@cboltz.de>
Date: Tue Feb 26 21:27:00 2019 +0100
Replace deprecated assertEquals with assertEqual
assertEquals is deprecated since Python 2.7 and 3.2.
(cherry picked from commit 62abfe38e8bb3e6ba4dc873efbd1855888ea8aa0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/README.md b/README.md
index 4e337fa6..4366d62f 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,24 @@ Security issues can be filed as security bugs on launchpad
or directed to `security@apparmor.net`. Additional details can be found
in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
+
+--------------
+Privacy Policy
+--------------
+
+The AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function.
+
+The AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project.
+
+The AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project.
+
+Users may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action.
+
+The AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab and LaunchPad) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not.
+
+Currently both GitLab an LaunchPad require a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way.
+
+
-------------
Source Layout
-------------
diff --git a/binutils/Makefile b/binutils/Makefile
index 7fb71813..e9fcbbd8 100644
--- a/binutils/Makefile
+++ b/binutils/Makefile
@@ -54,6 +54,10 @@ TOOLS = aa-enabled aa-exec
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
+ifdef WITH_LIBINTL
+ AALIB += -lintl
+endif
+
ifdef USE_SYSTEM
# Using the system libapparmor so Makefile dependencies can't be used
LIBAPPARMOR_A =
diff --git a/common/Make.rules b/common/Make.rules
index d2149fcd..ecc6181a 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -74,40 +74,6 @@ endif
pod_clean:
-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
-# =====================
-# generate list of capabilities based on
-# /usr/include/linux/capabilities.h for use in multiple locations in
-# the source tree
-# =====================
-
-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
-
-.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
- @echo "$(CAPABILITIES)"
-
-# =====================
-# generate list of network protocols based on
-# sys/socket.h for use in multiple locations in
-# the source tree
-# =====================
-
-# These are the families that it doesn't make sense for apparmor
-# to mediate. We use PF_ here since that is what is required in
-# bits/socket.h, but we will rewrite these as AF_.
-
-FILTER_FAMILIES=PF_UNIX
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
-
-.PHONY: list_af_names
-list_af_names:
- @echo "$(AF_NAMES)"
-
# =====================
# manpages
# =====================
diff --git a/common/list_af_names.sh b/common/list_af_names.sh
new file mode 100755
index 00000000..d7987537
--- /dev/null
+++ b/common/list_af_names.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
+# for "PF_" constants since that is what is required in bits/socket.h, but
+# rewrite as "AF_".
+
+echo "#include <sys/socket.h>" | \
+ cpp -dM | \
+ LC_ALL=C sed -n \
+ -e '/PF_UNIX/d' \
+ -e 's/PF_LOCAL/PF_UNIX/' \
+ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
+ sort -n -k2
diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
new file mode 100755
index 00000000..4e37cda7
--- /dev/null
+++ b/common/list_capabilities.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+echo "#include <linux/capability.h>" | \
+ cpp -dM | \
+ LC_ALL=C sed -n \
+ -e '/CAP_EMPTY_SET/d' \
+ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
+ LC_ALL=C sort
diff --git a/libraries/libapparmor/swig/python/test/test_python.py.in b/libraries/libapparmor/swig/python/test/test_python.py.in
index 37849554..75c71415 100644
--- a/libraries/libapparmor/swig/python/test/test_python.py.in
+++ b/libraries/libapparmor/swig/python/test/test_python.py.in
@@ -74,7 +74,7 @@ class AAPythonBindingsTests(unittest.TestCase):
libapparmor.free_record(swig_record)
expected = self.parse_output_file(outfile)
- self.assertEquals(expected, record,
+ self.assertEqual(expected, record,
"expected records did not match\n" +
"expected = %s\nactual = %s" % (expected, record))
@@ -90,7 +90,7 @@ class AAPythonBindingsTests(unittest.TestCase):
line = l.rstrip('\n')
count += 1
if line == "START":
- self.assertEquals(count, 1,
+ self.assertEqual(count, 1,
"Unexpected output format in %s" % (outfile))
continue
else:
diff --git a/parser/Makefile b/parser/Makefile
index 73e88f5c..d2bdc4de 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -94,6 +94,10 @@ AAREOBJECTS = $(AAREOBJECT)
AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS)
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
+ifdef WITH_LIBINTL
+ AALIB += -lintl
+endif
+
ifdef USE_SYSTEM
# Using the system libapparmor so Makefile dependencies can't be used
LIBAPPARMOR_A =
@@ -281,14 +285,13 @@ parser_version.h: Makefile
# as well as the filtering that occurs for network protocols that
# apparmor should not mediate.
-.PHONY: af_names.h
-af_names.h:
- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
+af_names.h: ../common/list_af_names.sh
+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
# cat $@
cap_names.h: /usr/include/linux/capability.h
- echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+ ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
@@ -304,10 +307,7 @@ tests: apparmor_parser ${TESTS}
sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
$(Q)$(MAKE) -s -C tst tests
-# always need to rebuild.
-.SILENT: $(AAREOBJECT)
-.PHONY: $(AAREOBJECT)
-$(AAREOBJECT):
+$(AAREOBJECT): FORCE
$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
.PHONY: install-rhel4
@@ -363,7 +363,9 @@ INSTALLDEPS+=install-$(DISTRO)
endif
.PHONY: install
-install: install-indep install-arch
+install:
+ $(MAKE) install-indep
+ $(MAKE) install-arch
.PHONY: install-arch
install-arch: $(INSTALLDEPS)
@@ -408,3 +410,4 @@ clean: pod_clean
$(MAKE) -s -C po clean
$(MAKE) -s -C tst clean
+FORCE:
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 662830bd..59ac72c9 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -1279,6 +1279,7 @@ provided AppArmor policy:
@{apparmorfs}
@{sys}
@{tid}
+ @{run}
@{XDG_DESKTOP_DIR}
@{XDG_DOWNLOAD_DIR}
@{XDG_TEMPLATES_DIR}
diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions
index 22e8367f..8c1c57c5 100644
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -140,7 +140,7 @@ force_complain() {
local profile=$1
# if profile not in complain mode
- if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then
+ if ! egrep -q '^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+\{' $profile ; then
local link="${PROFILE_DIR}/force-complain/`basename ${profile}`"
if [ -e "$link" ] ; then
aa_log_warning_msg "found $link, forcing complain mode"
diff --git a/parser/tst/caching.py b/parser/tst/caching.py
index 6d07b696..ad8a1be0 100755
--- a/parser/tst/caching.py
+++ b/parser/tst/caching.py
@@ -137,7 +137,7 @@ class AAParserCachingCommon(testlib.AATestTemplate):
with open(features_path) as f:
features = f.read()
if expected:
- self.assertEquals(expected_output, features,
+ self.assertEqual(expected_output, features,
"features contents differ, expected:\n%s\nresult:\n%s" % (expected_output, features))
else:
self.assertNotEquals(expected_output, features,
@@ -269,7 +269,7 @@ class AAParserCachingTests(AAParserCachingCommon):
if (int(major) < 3) or ((int(major) == 3) and (int(minor) <= 2)):
self.assertAlmostEquals(time1, time2, places=5)
else:
- self.assertEquals(time1, time2)
+ self.assertEqual(time1, time2)
def _set_mtime(self, path, mtime):
atime = os.stat(path).st_atime
@@ -370,7 +370,7 @@ class AAParserCachingTests(AAParserCachingCommon):
# in cache_contents because of the difficulty coercing cache
# file bytes into strings in python3
self.assertNotEquals(orig_stat.st_size, stat.st_size, 'Expected cache file to be updated, size is not changed.')
- self.assertEquals(os.stat(self.profile).st_mtime, stat.st_mtime)
+ self.assertEqual(os.stat(self.profile).st_mtime, stat.st_mtime)
def test_cache_writing_clears_all_files(self):
'''test cache writing clears all cache files'''
@@ -388,7 +388,7 @@ class AAParserCachingTests(AAParserCachingCommon):
self._set_mtime(self.abstraction, 0)
self._set_mtime(self.profile, expected)
self._generate_cache_file()
- self.assertEquals(expected, os.stat(self.cache_file).st_mtime)
+ self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
def test_abstraction_mtime_preserved(self):
'''test abstraction mtime is preserved when it is newest'''
@@ -396,7 +396,7 @@ class AAParserCachingTests(AAParserCachingCommon):
self._set_mtime(self.profile, 0)
self._set_mtime(self.abstraction, expected)
self._generate_cache_file()
- self.assertEquals(expected, os.stat(self.cache_file).st_mtime)
+ self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
def test_equal_mtimes_preserved(self):
'''test equal profile and abstraction mtimes are preserved'''
@@ -404,7 +404,7 @@ class AAParserCachingTests(AAParserCachingCommon):
self._set_mtime(self.profile, expected)
self._set_mtime(self.abstraction, expected)
self._generate_cache_file()
- self.assertEquals(expected, os.stat(self.cache_file).st_mtime)
+ self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
def test_profile_newer_skips_cache(self):
'''test cache is skipped if profile is newer'''
@@ -420,9 +420,9 @@ class AAParserCachingTests(AAParserCachingCommon):
self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
stat = os.stat(self.cache_file)
- self.assertEquals(orig_stat.st_size, stat.st_size)
- self.assertEquals(orig_stat.st_ino, stat.st_ino)
- self.assertEquals(orig_stat.st_mtime, stat.st_mtime)
+ self.assertEqual(orig_stat.st_size, stat.st_size)
+ self.assertEqual(orig_stat.st_ino, stat.st_ino)
+ self.assertEqual(orig_stat.st_mtime, stat.st_mtime)
def test_abstraction_newer_skips_cache(self):
'''test cache is skipped if abstraction is newer'''
@@ -438,9 +438,9 @@ class AAParserCachingTests(AAParserCachingCommon):
self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
stat = os.stat(self.cache_file)
- self.assertEquals(orig_stat.st_size, stat.st_size)
- self.assertEquals(orig_stat.st_ino, stat.st_ino)
- self.assertEquals(orig_stat.st_mtime, stat.st_mtime)
+ self.assertEqual(orig_stat.st_size, stat.st_size)
+ self.assertEqual(orig_stat.st_ino, stat.st_ino)
+ self.assertEqual(orig_stat.st_mtime, stat.st_mtime)
def test_profile_newer_rewrites_cache(self):
'''test cache is rewritten if profile is newer'''
diff --git a/profiles/apparmor.d/abstractions/dbus-network-manager-strict b/profiles/apparmor.d/abstractions/dbus-network-manager-strict
new file mode 100644
index 00000000..889a9a85
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/dbus-network-manager-strict
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.NetworkManager
+ member=GetDevices
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Settings
+ interface=org.freedesktop.NetworkManager.Settings
+ member={GetDevices,ListConnections}
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+ interface=org.freedesktop.NetworkManager.Settings.Connection
+ member=GetSettings
+ peer=(name=org.freedesktop.NetworkManager),
+
+ #include if exists <abstractions/dbus-network-manager-strict.d>
diff --git a/profiles/apparmor.d/abstractions/exo-open b/profiles/apparmor.d/abstractions/exo-open
new file mode 100644
index 00000000..6b14afa5
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/exo-open
@@ -0,0 +1,74 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via exo-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/exo-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/exo-open rPx -> foo//exo-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//exo-open {
+# #include <abstractions/exo-open>
+#
+# # needed for ubuntu-* abstractions
+# #include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# #include <abstractions/ubuntu-browsers>
+# #include <abstractions/ubuntu-email>
+#
+# # Add if accesibility access is considered as required
+# # (for message boxe in case exo-open fails)
+# #include <abstractions/dbus-accessibility>
+#
+# # < add additional allowed applications here >
+# }
+
+ #include <abstractions/X>
+ #include <abstractions/audio> # for alert messages
+ #include <abstractions/base>
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/gnome>
+
+ # Main executables
+
+ /usr/bin/exo-open rix,
+ /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
+
+ # Other executables
+
+ /{,usr/}bin/which rix,
+
+ # Deny DBus
+
+ # for GTK error message dialog, not required exo-open to work.
+ deny dbus send
+ bus=session
+ path=/org/gtk/vfs/mounttracker,
+
+ # System files
+
+ /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
+ /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
+ /usr/share/sounds/freedesktop/** r, # for message box alert sound
+ /usr/share/xfce4/helpers/*.desktop r,
+ /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
+
+ # User files
+
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{HOME}/.config/xfce4/helpers.rc r,
+ owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
+
+ # Include additions to the abstraction
+ #include if exists <abstractions/exo-open.d>
diff --git a/profiles/apparmor.d/abstractions/gio-open b/profiles/apparmor.d/abstractions/gio-open
new file mode 100644
index 00000000..ec6b1873
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/gio-open
@@ -0,0 +1,57 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gio helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gio directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gio rPx -> foo//gio-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gio-open {
+# #include <abstractions/gio-open>
+#
+# # needed for ubuntu-* abstractions
+# #include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# #include <abstractions/ubuntu-browsers>
+# #include <abstractions/ubuntu-email>
+#
+# # < add additional allowed applications here >
+# }
+
+ #include <abstractions/base>
+ #include <abstractions/dbus-session-strict>
+
+ # Main executables
+
+ /usr/bin/gio rix,
+ /usr/bin/gio-launch-desktop ix, # for OpenSUSE
+ /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
+
+ # System files
+
+ /etc/gnome/defaults.list r,
+ /usr/share/mime/* r,
+ /usr/share/{,*/}applications/{,**} r,
+ /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
+ /var/lib/snapd/desktop/applications/{,**} r,
+
+ # User files
+
+ owner @{HOME}/.config/mimeapps.list r,
+ owner @{HOME}/.local/share/applications/{,*.desktop} r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ # Include additions to the abstraction
+ #include if exists <abstractions/gio-open.d>
diff --git a/profiles/apparmor.d/abstractions/gvfs-open b/profiles/apparmor.d/abstractions/gvfs-open
new file mode 100644
index 00000000..397423da
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/gvfs-open
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gvfs-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gvfs-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gvfs-open {
+# #include <abstractions/gvfs-open>
+#
+# # needed for ubuntu-* abstractions
+# #include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# #include <abstractions/ubuntu-browsers>
+# #include <abstractions/ubuntu-email>
+#
+# # < add additional allowed applications here >
+# }
+# ```
+
+ #include <abstractions/base>
+
+ # gvfs-open is deprecated, it launches gio open <uri>
+ #include <abstractions/gio-open>
+
+ # Main executables
+
+ /usr/bin/gvfs-open r,
+ /{,usr/}bin/dash mr,
+
+ # Include additions to the abstraction
+ #include if exists <abstractions/gvfs-open.d>
diff --git a/profiles/apparmor.d/abstractions/kde-open5 b/profiles/apparmor.d/abstractions/kde-open5
new file mode 100644
index 00000000..4fb651ea
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/kde-open5
@@ -0,0 +1,104 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via kde-open5 helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/kde-open5 directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/kde-open5 rPx -> foo//kde-open5,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//kde-open5 {
+# #include <abstractions/kde-open5>
+#
+# # needed for ubuntu-* abstractions
+# #include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# #include <abstractions/ubuntu-browsers>
+# #include <abstractions/ubuntu-email>
+#
+# # Add if accesibility access is considered as required
+# # (for message boxe in case exo-open fails)
+# #include <abstractions/dbus-accessibility>
+#
+# # Add if audio support for message box is
+# # considered as required.
+# #include if exists <abstractions/gstreamer>
+#
+# # < add additional allowed applications here >
+# }
+# ```
+
+ #include <abstractions/audio> # for alert messages
+ #include <abstractions/base>
+ #include <abstractions/dbus-accessibility-strict>
+ #include <abstractions/dbus-network-manager-strict>
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/dbus-strict>
+ #include <abstractions/kde-icon-cache-write>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+ #include <abstractions/openssl>
+ #include <abstractions/qt5>
+ #include <abstractions/recent-documents-write>
+ #include <abstractions/X>
+
+ # Main executables
+
+ /usr/bin/kde-open5 rix,
+ /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
+
+ # DBus
+
+ dbus
+ bus=session
+ interface=org.kde.KLauncher
+ member=start_service_by_desktop_path
+ peer=(name=org.kde.klauncher5),
+
+ # Denied system files
+
+ deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
+
+ # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+ # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+ # AppArmor does not allow to distinguish "real" file vs shared memory one,
+ # so we deny this path to protect from loading exploits from /tmp.
+ deny /tmp/#[0-9]*[0-9] m,
+
+ # System files
+
+ /dev/tty r,
+ /etc/xdg/accept-languages.codes r,
+ /etc/xdg/menus/{,*/} r,
+ /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
+ /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
+ /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
+ /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
+ /usr/share/mime/ r,
+ /usr/share/mime/generic-icons r,
+ /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+ /usr/share/sounds/ r,
+ @{PROC}/sys/kernel/core_pattern r,
+ @{PROC}/sys/kernel/random/boot_id r,
+
+ # User files
+
+ owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
+ owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
+ owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
+ owner @{HOME}/.cache/kio_http/ rw,
+
+ # Include additions to the abstraction
+ #include if exists <abstractions/kde-open5.d>
diff --git a/profiles/apparmor.d/abstractions/mdns b/profiles/apparmor.d/abstractions/mdns
index e05ef3a4..14c31b8c 100644
--- a/profiles/apparmor.d/abstractions/mdns
+++ b/profiles/apparmor.d/abstractions/mdns
@@ -9,5 +9,6 @@
# ------------------------------------------------------------------
# mdnsd
+ /etc/mdns.allow r,
/etc/nss_mdns.conf r,
/{,var/}run/mdnsd w,
diff --git a/profiles/apparmor.d/abstractions/mesa b/profiles/apparmor.d/abstractions/mesa
index 68e7579e..be699c77 100644
--- a/profiles/apparmor.d/abstractions/mesa
+++ b/profiles/apparmor.d/abstractions/mesa
@@ -4,6 +4,10 @@
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
+ # Needed to check if the kernel supports the i915 perf interface
+ # (src/intel/perf/gen_perf.c, load_oa_metrics())
+ @{PROC}/sys/dev/i915/perf_stream_paranoid r,
+
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ w,
diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index ef2c5b2e..a78a874d 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,11 @@
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
+ # NSS records from systemd-userdbd.service
+ @{run}/systemd/userdb/ r,
+ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+ @{PROC}/sys/kernel/random/boot_id r,
+
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
diff --git a/profiles/apparmor.d/abstractions/xdg-open b/profiles/apparmor.d/abstractions/xdg-open
new file mode 100644
index 00000000..531022e3
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/xdg-open
@@ -0,0 +1,84 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via xdg-open helper. xdg-open abstraction
+# will allow to use gio-open, kde-open5 and other helpers of the different
+# desktop environments.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/xdg-open rPx -> foo//xdg-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//xdg-open {
+# #include <abstractions/xdg-open>
+#
+# # Enable a11y support if considered required by
+# # profile author for (rare) error message boxes.
+# #include <abstractions/dbus-accessibility>
+#
+# # Enable gstreamer support if considered required by
+# # profile author for (rare) error message boxes.
+# #include if exists <abstractions/gstreamer>
+#
+# # needed for ubuntu-* abstractions
+# #include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# #include <abstractions/ubuntu-browsers>
+# #include <abstractions/ubuntu-email>
+#
+# # < add additional allowed applications here >
+# }
+# ```
+
+ #include <abstractions/base>
+
+ # for openin with `exo-open`
+ #include <abstractions/exo-open>
+
+ # for opening with `gio open <uri>`
+ #include <abstractions/gio-open>
+
+ # for opening with gvfs-open (deprecated)
+ #include <abstractions/gvfs-open>
+
+ # for opening with kde-open5
+ #include <abstractions/kde-open5>
+
+ # Main executables
+
+ /{,usr/}bin/{b,d}ash mr,
+ /usr/bin/xdg-open r,
+
+ # Additional executables
+
+ /usr/bin/xdg-mime rix,
+ /{,usr/}bin/cut rix, # for xdg-mime
+ /{,usr/}bin/head rix, # for xdg-mime
+ /{,usr/}bin/sed rix, # for xdg-open
+ /{,usr/}bin/tr rix, # for xdg-mime
+ /{,usr/}bin/which rix, # for xdg-open
+ /{,usr/}bin/{grep,egrep} rix, # for xdg-open
+
+ # System files
+
+ /dev/pts/[0-9]* rw,
+ /dev/tty w,
+ /etc/gnome/defaults.list r, # for grep
+ /usr/share/applications/mimeinfo.cache r, # for grep
+ /usr/share/terminfo/s/screen r, # for bash on openSUSE
+ /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
+ /var/lib/menu-xdg/applications/ r, # for xdg-mime
+
+ # Usr files
+
+ owner @{HOME}/.local/share/applications/{,*.desktop} r,
+
+ # Include additions to the abstraction
+ #include if exists <abstractions/xdg-open.d>
diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
index 28d6fc6d..3b6f99cc 100644
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@@ -19,3 +19,4 @@
#include <tunables/kernelvars>
#include <tunables/xdg-user-dirs>
#include <tunables/share>
+#include <tunables/run>
diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
new file mode 100644
index 00000000..5b81925e
--- /dev/null
+++ b/profiles/apparmor.d/tunables/run
@@ -0,0 +1 @@
+@{run}=/run/ /var/run/
diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
index 14ad664b..f2b5ca18 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -42,6 +42,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
owner /dev/tty rw,
+ @{PROC}/@{pid}/fd/ r,
+
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
index 9f78e8c7..0313ec98 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -25,7 +25,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
/usr/{bin,sbin}/winbindd mr,
- /var/cache/krb5rcache/* rw,
+ /var/cache/krb5rcache/* rwk,
/var/cache/samba/*.tdb rwk,
/var/log/samba/log.winbindd rw,
/{var/,}run/samba/winbindd.pid rwk,
diff --git a/utils/Makefile b/utils/Makefile
index 68f8c376..ea9e0601 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -80,7 +80,7 @@ clean: pod_clean
.SILENT: check_severity_db
check_severity_db: /usr/include/linux/capability.h severity.db
# The sed statement is based on the one in the parser's makefile
- RC=0 ; for cap in ${CAPABILITIES} ; do \
+ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
if ! grep -q -w $${cap} severity.db ; then \
echo "Warning! capability $${cap} not found in severity.db" ; \
RC=1 ; \
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 3b5ad68f..5423497e 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -559,8 +559,7 @@ def get_profile(prof_name):
p = profile_hash[options[arg]]
q.selected = options.index(options[arg])
if ans == 'CMD_VIEW_PROFILE':
- pager = get_pager()
- subprocess.call([pager, orig_filename])
+ aaui.UI_ShowFile(uname, orig_filename)
elif ans == 'CMD_USE_PROFILE':
if p['profile_type'] == 'INACTIVE_LOCAL':
profile_data = p['profile_data']
@@ -1952,6 +1951,10 @@ def collapse_log():
for aamode in prelog.keys():
for profile in prelog[aamode].keys():
for hat in prelog[aamode][profile].keys():
+ # used to avoid to accidently initialize aa[profile][hat] or calling is_known_rule() on events for a non-existing profile
+ hat_exists = False
+ if aa.get(profile) and aa[profile].get(hat):
+ hat_exists = True
log_dict[aamode][profile][hat] = ProfileStorage(profile, hat, 'collapse_log()')
@@ -1977,12 +1980,12 @@ def collapse_log():
file_event = FileRule(path, mode, None, FileRule.ALL, owner=owner, log_event=True)
- if not is_known_rule(aa[profile][hat], 'file', file_event):
+ if not hat_exists or not is_known_rule(aa[profile][hat], 'file', file_event):
log_dict[aamode][profile][hat]['file'].add(file_event)
for cap in prelog[aamode][profile][hat]['capability'].keys():
cap_event = CapabilityRule(cap, log_event=True)
- if not is_known_rule(aa[profile][hat], 'capability', cap_event):
+ if not hat_exists or not is_known_rule(aa[profile][hat], 'capability', cap_event):
log_dict[aamode][profile][hat]['capability'].add(cap_event)
dbus = prelog[aamode][profile][hat]['dbus']
@@ -2005,20 +2008,21 @@ def collapse_log():
else:
raise AppArmorBug('unexpected dbus access: %s')
- log_dict[aamode][profile][hat]['dbus'].add(dbus_event)
+ if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event):
+ log_dict[aamode][profile][hat]['dbus'].add(dbus_event)
nd = prelog[aamode][profile][hat]['netdomain']
for family in nd.keys():
for sock_type in nd[family].keys():
net_event = NetworkRule(family, sock_type, log_event=True)
- if not is_known_rule(aa[profile][hat], 'network', net_event):
+ if not hat_exists or not is_known_rule(aa[profile][hat], 'network', net_event):
log_dict[aamode][profile][hat]['network'].add(net_event)
ptrace = prelog[aamode][profile][hat]['ptrace']
for peer in ptrace.keys():
for access in ptrace[peer].keys():
ptrace_event = PtraceRule(access, peer, log_event=True)
- if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
+ if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
sig = prelog[aamode][profile][hat]['signal']
@@ -2026,7 +2030,7 @@ def collapse_log():
for access in sig[peer].keys():
for signal in sig[peer][access].keys():
signal_event = SignalRule(access, signal, peer, log_event=True)
- if not is_known_rule(aa[profile][hat], 'signal', signal_event):
+ if not hat_exists or not is_known_rule(aa[profile][hat], 'signal', signal_event):
log_dict[aamode][profile][hat]['signal'].add(signal_event)
return log_dict
@@ -2098,7 +2102,8 @@ def read_profile(file, active_profile):
try:
with open_file_read(file) as f_in:
data = f_in.readlines()
- except IOError:
+ except IOError as e:
+ aaui.UI_Important('WARNING: Error reading file %s, skipping.\n %s' % (file, e))
debug_logger.debug("read_profile: can't read %s - skipping" % file)
return None
diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py
index cdb712f3..58ff8ced 100644
--- a/utils/apparmor/ui.py
+++ b/utils/apparmor/ui.py
@@ -254,13 +254,16 @@ def UI_Changes(oldprofile, newprofile, comments=False):
else:
difftemp = generate_diff_with_comments(oldprofile, newprofile)
header = 'View Changes with comments'
+ UI_ShowFile(header, difftemp.name)
+ difftemp.close()
+
+def UI_ShowFile(header, filename):
if UI_mode == 'json':
- jsonout = {'dialog': 'changes', 'header':header, 'filename': difftemp.name}
+ jsonout = {'dialog': 'changes', 'header': header, 'filename': filename}
write_json(jsonout)
- json_response('changes')["response"] # wait for response to delay deletion of difftemp (and ignore response content)
+ json_response('changes')["response"] # wait for response to delay deletion of filename (and ignore response content)
else:
- subprocess.call('less %s' % difftemp.name, shell=True)
- difftemp.close()
+ subprocess.call(['less', filename])
CMDS = {'CMD_ALLOW': _('(A)llow'),
'CMD_OTHER': _('(M)ore'),
diff --git a/utils/test/test-aa-easyprof.py b/utils/test/test-aa-easyprof.py
index ba468f3e..d2057972 100755
--- a/utils/test/test-aa-easyprof.py
+++ b/utils/test/test-aa-easyprof.py
@@ -1674,7 +1674,7 @@ POLICYGROUPS_DIR="%s/templates"
# verify we get the same manifest back
man_new = easyp.gen_manifest(params)
- self.assertEquals(m, man_new)
+ self.assertEqual(m, man_new)
def test_gen_manifest_ubuntu(self):
'''Test gen_manifest (ubuntu)'''
@@ -1714,7 +1714,7 @@ POLICYGROUPS_DIR="%s/templates"
# verify we get the same manifest back
man_new = easyp.gen_manifest(params)
- self.assertEquals(m, man_new)
+ self.assertEqual(m, man_new)
def test_parse_manifest_no_version(self):
'''Test parse_manifest (vendor with no version)'''
diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 8605786d..73a6b9d1 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
class NetworkKeywordsTest(AATest):
def test_network_keyword_list(self):
- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+ rc, output = cmd('../../common/list_af_names.sh')
self.assertEqual(rc, 0)
af_names = []
diff --git a/utils/vim/Makefile b/utils/vim/Makefile
index 9ffc301e..7d107dd0 100644
--- a/utils/vim/Makefile
+++ b/utils/vim/Makefile
@@ -9,7 +9,7 @@ VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
all: apparmor.vim manpages htmlmanpages
apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
- ${PYTHON} create-apparmor.vim.py > apparmor.vim
+ ${PYTHON} create-apparmor.vim.py > apparmor.vim || { rm -f apparmor.vim ; exit 1; }
manpages: $(MANPAGES)
diff --git a/utils/vim/apparmor.vim.in b/utils/vim/apparmor.vim.in
index 6451aa08..e2677d83 100644
--- a/utils/vim/apparmor.vim.in
+++ b/utils/vim/apparmor.vim.in
@@ -113,7 +113,7 @@ syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as er
" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/
-syn match sdAlias /\v^alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment
+syn match sdAlias /\v^\s*alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment
" syn match sdComment /#.*/
@@ -186,6 +186,8 @@ syn match sdComment /\s*#.*$/
" NOTE: Comment highlighting still works without contains=sdComment.
syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
syn match sdInclude /\s*include\s<\S*>/ " TODO: doesn't check until $
+syn match sdInclude /\s*#include\sif\sexists\s<\S*>/ " TODO: doesn't check until $
+syn match sdInclude /\s*include\sif\sexists\s<\S*>/ " TODO: doesn't check until $
" basic profile block...
" \s+ does not work in end=, therefore using \s\s*
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 10bd5b8d..8a17bb43 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -42,24 +42,24 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
# Handle redirection of stderr
if outerr is None:
outerr = ''
- return [sp.returncode, out + outerr]
+ return [sp.returncode, out, outerr]
# get capabilities list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+(rc, output, outerr) = cmd(['../../common/list_capabilities.sh'])
if rc != 0:
- sys.stderr.write("make list_capabilities failed: " + output)
+ sys.stderr.write("make list_capabilities failed: " + output + outerr)
exit(rc)
-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
+capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
benign_caps = []
for cap in capabilities:
if cap not in danger_caps:
benign_caps.append(cap)
# get network protos list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+(rc, output, outerr) = cmd(['../../common/list_af_names.sh'])
if rc != 0:
- sys.stderr.write("make list_af_names failed: " + output)
+ sys.stderr.write("make list_af_names failed: " + output + outerr)
exit(rc)
af_names = []
Reference in New Issue View Git Blame Copy Permalink