aarch64 needs some additional rules on tumbleweed to handle for
example

apparmor="DENIED" operation="file_mmap" profile="samba-dcerpcd" name="/usr/lib64/samba/samba-dcerpcd" pid=897 comm="samba-dcerpcd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

The other new rpcd_* services exhibit similar errors

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309

Signed-off-by: Noel Power <noel.power@suse.com>

MR: !880


Approved-by: Christian Boltz <apparmor@cboltz.de> for 3.0 and master
Merged-by: Christian Boltz <apparmor@cboltz.de>

aarch64 needs some additional rules on tumbleweed to handle for
example

apparmor="DENIED" operation="file_mmap" profile="samba-dcerpcd" name="/usr/lib64/samba/samba-dcerpcd" pid=897 comm="samba-dcerpcd" requested_mask="m" denied_mask="

The other new rpcd_* services exhibit similar errors

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309

Signed-off-by: Noel Power <noel.power@suse.com>

openSUSE works on extending zgrep to also support zstd-compressed files.

References: http://bugzilla.opensuse.org/show_bug.cgi?id=1198922

MR: !878

Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

openSUSE works on extending zgrep to also support zstd-compressed files.

References: http://bugzilla.opensuse.org/show_bug.cgi?id=1198922

Credits go to Seth who proposed these tests in
!196 (comment 108500403)

MR: !875

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

... and with that, make a rule in the php-fpm profile (which missed
php8) superfluous.

Fixes: #229
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
MR: !876

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

The snap_browsers abstraction requires more permissions
due to updates on snaps.
    
Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
    all dbus permissions,
    @{PROC}/sys/kernel/random/uuid r,
    owner @{PROC}/@{pid}/cgroup r,
    /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```


I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0

MR: !877

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

The snap_browsers abstraction requires more permissions
due to updates on snaps.

Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
all dbus permissions,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

... and with that, make a rule in the php-fpm profile (which missed
php8) superfluous.

Fixes: #229

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11

... which was the only caller of this tiny function.

MR: !874

Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

expr is used for parsing commandline options in zgrep.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198531

MR: !873

Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

Credits go to Seth who proposed these tests in
!196 (comment 108500403)

... which was the only caller of this tiny function.

expr is used for parsing commandline options in zgrep.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198531

samba-4.16 has a completely new dcerpc subsystem, services that
used to be built into the smbd daemon itself (and deployed in forked
instances) are now hosted in standalone binaries. The following new
binaries now need new profiles

  rpcd_classic
  rpcd_epmapper
  rpcd_fsrvp
  rpcd_lsad
  rpcd_mdssvc
  rpcd_rpcecho
  rpcd_spoolss
  rpcd_winreg
  samba-dcerpcd

Additionally smbd & winbindd need new entries because the exec
samba-dcerpcd
Signed-off-by: Noel Power <noel.power@suse.com>

MR: !871

Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>

samba-4.16 has a completely new dcerpc subsystem, services that
used to be built into the smbd daemon itself (and deployed in forked
instances) are now hosted in standalone binaries. The following new
binaries now need new profiles

  rpcd_classic
  rpcd_epmapper
  rpcd_fsrvp
  rpcd_lsad
  rpcd_mdssvc
  rpcd_rpcecho
  rpcd_spoolss
  rpcd_winreg
  samba-dcerpcd

Mostly these are captured in a single common profile 'samba-rpcd'

Additionally smbd & winbindd need new entries because they exec
samba-dcerpcd

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309

Signed-off-by: Noel Power <noel.power@suse.com>

This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
aka CVE-2022-1271 (file write and code execution via "funny" filenames)

I propose this addition for 3.0 and master.

(Tested on openSUSE Tumbleweed - tests on other distros welcome ;-)

MR: !870

Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>

This function is based on reload_profile() in tools.py, but also
replaces most of reload_base() in aa.py.

For bonus points, we get rid of shell=True when calling apparmor_parser.

Note: This slightly changes the behaviour of aa-logprof and aa-genprof -
if the parser errors out ($? > 0), the output no longer gets hidden.
However, this will not raise an exception, and aa-logprof and aa-genprof
won't abort on parser errors.

MR: !855

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

Observed these denials on an Ubuntu jammy system, when a user with an NFS homedir logs in:
```
Mar 29 06:57:14 darkstar kernel: [ 5988.206958] audit: type=1400 audit(1648551434.502:72): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/nfs.conf" pid=3195 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 29 06:57:14 darkstar kernel: [ 5988.207023] audit: type=1400 audit(1648551434.502:73): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/nfs.conf.d/" pid=3195 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 29 10:48:49 darkstar kernel: [19883.319957] audit: type=1400 audit(1648565329.710:74): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/hosts.allow" pid=3196 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
Mar 29 10:48:49 darkstar kernel: [19883.320016] audit: type=1400 audit(1648565329.710:75): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/hosts.deny" pid=3196 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
Mar 29 17:07:33 darkstar kernel: [  162.642366] audit: type=1400 audit(1648588053.026:72): apparmor="DENIED" operation="file_lock" profile="rpc.statd" name="/etc/nfs.conf" pid=1697 comm="rpc.statd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
```

MR: !866

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

systemd will attempt to force socket buffer size using setsockopt
and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
attempt to set size was clipped by kernel limit.

- Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12  capname="net_admin"'

type entries.
Signed-off-by: Noel Power <noel.power@suse.com>

MR: !867

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
aka CVE-2022-1271 (file write and code execution via "funny" filenames)

... if a test is expected to fail, but succeeds.

Also fix the copyright year - the test was created in 2022, not in 2013.

This fixes my comments on
bd78b6b2

The original MR !850 was merged into 3.0 and master, therefore I also propose this patch for 3.0 and master.

MR: !868

Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

... if a test is expected to fail, but succeeds.

Also fix the copyright year - the test was created in 2022, not in 2013.

This fixes my comments on
bd78b6b2

systemd will attempt to force socket buffer size using setsockopt
and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
attempt to set size was clipped by kernel limit.

- Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12  capname="net_admin"'

type entries.
Signed-off-by: Noel Power <noel.power@suse.com>

Also update to use @{run}

similar to commit 2f9d172c
we discovered that there was a service outage
when dovecot tried to send a usr1 signal

type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"

MR: !865

Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>

- add pki/blacklist and pki/blocklist
- add /usr/share/pki/ in adddition to /etc/pki/

pki/blocklist was suggested by @darix, the other changes are things I noticed while adding it.

I propose this patch for 3.0 and master. (`abstractions/ssl_certs` on 2.x branches is quite different and needs a manual backport (or more cherry-picks) if you want to backport this MR.)

MR: !864

Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

similar to commit 2f9d172c
we discovered that there was a service outage
when dovecot tried to send a usr1 signal

type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"

- add pki/blacklist and pki/blocklist
- add /usr/share/pki/ in adddition to /etc/pki/

pki/blocklist was suggested by @darix, the other changes are things I noticed while adding it.

- Fix "type=AVC msg=audit(1646702374.347:182): apparmor="DENIED"
       operation="open" profile="samba-bgqd" name="/proc/1933/fd/"
       pid=1933 comm="samba-bgqd" requested_mask="r" denied_mask="r"
       fsuid=0 ouid=0"

entries appearing in SLE15-SP4
Signed-off-by: Noel Power <noel.power@suse.com>

MR: !860

Merged-by: Christian Boltz <apparmor@cboltz.de>

- Fix "type=AVC msg=audit(1646702374.347:182): apparmor="DENIED"
       operation="open" profile="samba-bgqd" name="/proc/1933/fd/"
       pid=1933 comm="samba-bgqd" requested_mask="r" denied_mask="r"
       fsuid=0 ouid=0"

entries appearing in SLE15-SP4
Signed-off-by: Noel Power <noel.power@suse.com>

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10

I propose this patch for 3.0 and master. (<= 2.13 don't have the samba-bgpd profile - if we want to backport to 2.x, we'll have to pick only the smbd part.)

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10
MR: !862

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10

See downstream bug at
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964325

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: !861

Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

See downstream bug at
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964325

Signed-off-by: Alex Murray <alex.murray@canonical.com>

libapparmor: fix handling of failed symlink traversal, fixed a couple
of directory walk issues that could cause failures. The test included
in this commit was supposed to be included in the previous commit,
but was accidentally dropped. Even worse the make file changes did
make it causing the previous commit to break the CI.

Fixes: MR: !85

Signed-off-by: John Johansen <john.johansen@canonical.com>

Ideally we would have a flag or something so the caller could choose
to handle symlinks, or traverse them. But since all callers currently
don't handle symlinks just handle them in the iterator.

Beyond fixing the early termination due to a failed symlink this also
fixes another case of failure in one job cause dir based loads to
terminate early. Which can result in partial loads.

Fixes: #215
MR: !850

Signed-off-by: John Johansen <john.johansen@canonical.com>
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>

The recently added gtk abstraction (!825) lack the support for the new gtk4.

MR: !857

Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: John Johansen <john@jjmx.net>

Get rid of subprocess with shell=True

Simplify logmark used in syslog.

Instead of using `date | md5sum` and parsing the output to get the actual md5sum (without the stdin filename), use the current unixtime with a `logmark-` prefix.

MR: !856

Acked-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>