1. 11 May, 2022 2 commits
  2. 28 Apr, 2022 1 commit
  3. 27 Apr, 2022 1 commit
  4. 19 Apr, 2022 4 commits
  5. 18 Apr, 2022 3 commits
  6. 16 Apr, 2022 3 commits
  7. 15 Apr, 2022 2 commits
  8. 12 Apr, 2022 4 commits
    • John Johansen's avatar
      Merge Add zgrep and xzgrep profile · 41b44367
      John Johansen authored
      This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
      aka CVE-2022-1271 (file write and code execution via "funny" filenames)
      
      I propose this addition for 3.0 and master.
      
      (Tested on openSUSE Tumbleweed - tests on other distros welcome ;-)
      
      MR: !870
      
      Approved-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      41b44367
    • John Johansen's avatar
      Merge add a common reload_profile() function to aa.py · 52e82516
      John Johansen authored
      This function is based on reload_profile() in tools.py, but also
      replaces most of reload_base() in aa.py.
      
      For bonus points, we get rid of shell=True when calling apparmor_parser.
      
      Note: This slightly changes the behaviour of aa-logprof and aa-genprof -
      if the parser errors out ($? > 0), the output no longer gets hidden.
      However, this will not raise an exception, and aa-logprof and aa-genprof
      won't abort on parser errors.
      
      MR: !855
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      52e82516
    • John Johansen's avatar
      Merge sbin.rpc.statd: add hosts_access abstraction, /etc/nfs.conf{,.d/} · 10360327
      John Johansen authored
      Observed these denials on an Ubuntu jammy system, when a user with an NFS homedir logs in:
      ```
      Mar 29 06:57:14 darkstar kernel: [ 5988.206958] audit: type=1400 audit(1648551434.502:72): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/nfs.conf" pid=3195 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
      Mar 29 06:57:14 darkstar kernel: [ 5988.207023] audit: type=1400 audit(1648551434.502:73): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/nfs.conf.d/" pid=3195 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
      Mar 29 10:48:49 darkstar kernel: [19883.319957] audit: type=1400 audit(1648565329.710:74): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/hosts.allow" pid=3196 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
      Mar 29 10:48:49 darkstar kernel: [19883.320016] audit: type=1400 audit(1648565329.710:75): apparmor="DENIED" operation="open" profile="rpc.statd" name="/etc/hosts.deny" pid=3196 comm="rpc.statd" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
      Mar 29 17:07:33 darkstar kernel: [  162.642366] audit: type=1400 audit(1648588053.026:72): apparmor="DENIED" operation="file_lock" profile="rpc.statd" name="/etc/nfs.conf" pid=1697 comm="rpc.statd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
      ```
      
      MR: !866
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      10360327
    • John Johansen's avatar
      Merge profiles/apparmor.d/abstraction: Squash noisey setsockopt calls. · 4537a501
      John Johansen authored
      
      
      systemd will attempt to force socket buffer size using setsockopt
      and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
      attempt to set size was clipped by kernel limit.
      
      - Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12  capname="net_admin"'
      
      type entries.
      Signed-off-by: default avatarNoel Power <noel.power@suse.com>
      
      MR: !867
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      4537a501
  9. 11 Apr, 2022 1 commit
  10. 04 Apr, 2022 1 commit
  11. 03 Apr, 2022 1 commit
  12. 31 Mar, 2022 1 commit
    • Noel Power's avatar
      profiles/apparmor.d/abstraction: Squash noisey setsockopt calls. · 90f97357
      Noel Power authored
      
      
      systemd will attempt to force socket buffer size using setsockopt
      and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
      attempt to set size was clipped by kernel limit.
      
      - Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12  capname="net_admin"'
      
      type entries.
      Signed-off-by: default avatarNoel Power <noel.power@suse.com>
      90f97357
  13. 30 Mar, 2022 1 commit
  14. 25 Mar, 2022 1 commit
  15. 23 Mar, 2022 2 commits
  16. 22 Mar, 2022 1 commit
  17. 14 Mar, 2022 2 commits
  18. 13 Mar, 2022 2 commits
  19. 10 Mar, 2022 2 commits
  20. 27 Feb, 2022 2 commits
  21. 22 Feb, 2022 2 commits
  22. 21 Feb, 2022 1 commit