1. 19 Apr, 2022 1 commit
  2. 25 Mar, 2022 1 commit
  3. 17 Mar, 2022 1 commit
    • Georgia Garcia's avatar
      add snap-browsers profile · c87b4e80
      Georgia Garcia authored
      Whenever the evince deb package tries to open a snap browser which was
      selected as the default, we get the following denial:
      
      audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
      
      As a short-term solution, we are adding a snap-browsers profile
      which restricts what snaps opened by evince can do.
      The long-term solution is currently not available, but could be
      accomplished by using enhanced environment variable filtering/mediation
      and delegation of open fds.
      
      Bug: https://launchpad.net/bugs/1794064
      
      Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      (cherry picked from commit fb3283f3)
      MR: !863
      
      Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      c87b4e80
  4. 13 Mar, 2022 1 commit
  5. 10 Mar, 2022 1 commit
    • John Johansen's avatar
      Merge [2.x..3.0] aa-remove-unknown: abort on parser failure · 903e58a7
      John Johansen authored
      If apparmor_parser -N (in profiles_names_list()) fails,
      aa-remove-unknown possibly gets an incomplete list of profiles in
      /etc/apparmor.d/ and therefore might remove more profiles than it
      should.
      
      Replace the profiles_names_list() call with a direct apparmor_parser
      call, and abort aa-remove-unknown if it exits with $? != 0
      
      Before:
      ```
      aa-remove-unknown -n
      AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
      Would remove 'delete_me'
      ```
      
      After:
      ```
      ./aa-remove-unknown -n
      AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
      apparmor_parser exited with failure, aborting.
      ```
      
      And of course, after fixing the broken profile:
      ```
      ./aa-remove-unknown -n
      Would remove 'delete_me'
      ```
      
      (cherry picked from commit 5053a01d)
      
      This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.
      
      I propose this patch for 3.0 and all 2.x branches.
      
      MR: !859
      
      Approved-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      (cherry picked from commit c6324c2a
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      903e58a7
  6. 17 Jan, 2022 1 commit
  7. 30 Oct, 2021 1 commit
  8. 26 Aug, 2021 1 commit
  9. 20 Aug, 2021 1 commit
  10. 17 Aug, 2021 1 commit
  11. 13 Aug, 2021 1 commit
  12. 21 Jul, 2021 1 commit
  13. 14 Jul, 2021 1 commit
  14. 28 Jun, 2021 1 commit
  15. 24 May, 2021 1 commit
  16. 31 Mar, 2021 1 commit
  17. 16 Mar, 2021 1 commit
  18. 15 Mar, 2021 1 commit
  19. 14 Mar, 2021 3 commits
    • Mikhail Morfikov's avatar
      abstractions: Add missing rule in wutmp abstraction · b4d8b92e
      Mikhail Morfikov authored
      Currently the wutmp abstraction has the following rules:
        /var/log/lastlog  rwk,
        /var/log/wtmp     wk,
        @{run}/utmp       rwk,
      
      According to what I see in my apparmor profiles, just a few apps want
      to interact with the files listed above, especially with the
      /var/log/wtmp . But when the apps do this, they sometimes want the
      read access to this file. An example could be the last command. Is
      there any reason for not having the r in the rule?  The second thing
      is the file /var/log/btmp (which isn't included in the
      abstracion). Whenever I see an app, which wants to access the
      /var/log/wtmp file, it also tries to interact with the /var/log/btmp
      file, for instance lightdm/sddm or su . Most of the time they need
      just wk permissions, but sometimes apps need also r on this file, an
      example could be the lastb command, which is just a link to last.
      
      Fixes: #152
      MR: !724
      
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      (cherry picked from commit d4e0a945
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      b4d8b92e
    • John Johansen's avatar
      parser: fix backport of MR700 · 2baa01bd
      John Johansen authored
      The backport of
        855dbd4a parser: fix rule downgrade for unix rules
      
      using the rule_t::warn_once which doesn't exist in the 2.x parser
      series. Switch this the the static function warn_once.
      
      8b481b5f
      
       parser: fix rule downgrade for unix rules
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      2baa01bd
    • John Johansen's avatar
      parser: fix rule downgrade for unix rules · 8b481b5f
      John Johansen authored
      Rule downgrades are used to provide some confinement when a feature
      is only partially supported by the kernel.
      
        Eg. On a kernel that doesn't support fine grained af_unix mediation
            but does support network mediation.
      
              unix (connect, receive, send)
                    type=stream
                    peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
      
            will be downgraded to
      
              network unix type=stream,
      
      Which while more permissive still provides some mediation while
      allowing the appication to still function. However making the rule
      a deny rule result in tightening the profile.
      
        Eg.
              deny unix (connect, receive, send)
                    type=stream
                    peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
      
            will be downgraded to
      
              deny network unix type=stream,
      
      and that deny rule will take priority over any allow rule. Which means
      that if the profile also had unix allow rules they will get blocked by
      the downgraded deny rule, because deny rules have a higher priority,
      and the application will break. Even worse there is no way to add the
      functionality back to the profile without deleting the offending deny
      rule.
      
      To fix this we drop deny rules that can't be downgraded in a way that
      won't break the application.
      
      Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
      MR: !700
      
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      (cherry picked from commit 855dbd4a
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      8b481b5f
  20. 12 Feb, 2021 2 commits
    • Rose Kunkel's avatar
      Fix nscd conflict with systemd-homed · 7d196223
      Rose Kunkel authored
      My main user account is managed by systemd-homed. When I enable
      AppArmor and have nscd running, I get inconsistent behavior with my
      user account - sometimes I can't log in, sometimes I can log in but
      not use sudo, etc.
      
      This is the output of getent passwd:
        $ getent passwd
        root:x:0:0::/root:/usr/bin/zsh
        bin:x:1:1::/:/sbin/nologin
        daemon:x:2:2::/:/sbin/nologin
        mail:x:8:12::/var/spool/mail:/sbin/nologin
        ftp:x:14:11::/srv/ftp:/sbin/nologin
        http:x:33:33::/srv/http:/sbin/nologin
        nobody:x:65534:65534:Nobody:/:/sbin/nologin
        dbus:x:81:81:System Message Bus:/:/sbin/nologin
        [...]
        rose:x:1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh
      
      But getent passwd rose and getent passwd 1000 both return no output.
      Stopping nscd.service fixes these problems. Checking the apparmor
      logs, I noticed that nscd was denied access to
      /etc/machine-id. Allowing access to that file seems to have fixed the
      issue.
      
      MR: !707
      Fixes: #145
      
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      (cherry picked from commit ee5303c8
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      7d196223
    • Seth Arnold's avatar
      profiles: firefox Add support for widevine DRM · 678271e1
      Seth Arnold authored
      Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1
      
      Running firefix, then going to netflix.com and attempting to play a
      movie. The widevinecdm plugin crashes, the following is found in
      syslog:
      
      Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
      Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
      Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
      Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert
      ...
      
      Fixes: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1777070
      
      Reported-by: default avatarXav Paice <xav.paice@canonical.com>
      MR: !684
      
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: Steve Beattie's avatarSteve Beattie <steve.beattie@canonical.com>
      (cherry picked from commit 656f2103
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      678271e1
  21. 11 Feb, 2021 1 commit
  22. 11 Dec, 2020 1 commit
  23. 28 Nov, 2020 1 commit
  24. 17 Nov, 2020 1 commit
  25. 03 Nov, 2020 1 commit
  26. 01 Nov, 2020 2 commits
  27. 26 Oct, 2020 2 commits
    • Vincas Dargis's avatar
      dovecot: allow reading dh.pem · 081717cd
      Vincas Dargis authored
      Dovecot is hit with this denial on Debian 10 (buster):
      ```
      type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
      operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
      pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
      ouid=0
      ```
      
      This results in fatal error:
      
      ```
      Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
      file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
      /usr/share/dovecot/dh.pem: Permission denied
      ```
      
      Add rule to allow reading dh.pem.
      
      MR: !671
      (cherry picked from commit 9d8e111a
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      081717cd
    • Vincas Dargis's avatar
      dovecot: allow kill signal · f566d8b3
      Vincas Dargis authored
      Dovecot might try to kill related processes:
      
      ```
      type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED"
      operation="signal" profile="dovecot" pid=21223 comm="dovecot"
      requested_mask="send" denied_mask="send" signal=kill
      peer="/usr/lib/dovecot/auth"
      
      type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED"
      operation="signal" profile="dovecot" pid=21223 comm="dovecot"
      requested_mask="send" denied_mask="send" signal=kill
      peer="/usr/lib/dovecot/pop3"
      
      type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED"
      operation="signal" profile="dovecot" pid=31632 comm="dovecot"
      requested_mask="send" denied_mask="send" signal=kill
      peer="/usr/lib/dovecot/pop3-login"
      ```
      This discovered on low-power high-load machine (last resort timeout
      handling?).
      
      Update signal rule to allow SIGKILL.
      
      MR: !671
      (cherry picked from commit 2f9d172c
      
      )
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      f566d8b3
  28. 15 Oct, 2020 1 commit
  29. 09 Oct, 2020 3 commits
  30. 03 Oct, 2020 2 commits
  31. 29 Sep, 2020 2 commits