Skip to content
GitLab
Switch branch/tag
  1. 19 Apr, 2022 1 commit
  3. 25 Mar, 2022 1 commit
  5. 17 Mar, 2022 1 commit
    • Georgia Garcia's avatar
      add snap-browsers profile · c87b4e80
      Georgia Garcia authored 
      Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:

audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.

Bug: https://launchpad.net/bugs/1794064

Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit fb3283f3)
MR: !863

Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      c87b4e80
  7. 13 Mar, 2022 1 commit
  9. 10 Mar, 2022 1 commit
    • John Johansen's avatar
      Merge [2.x..3.0] aa-remove-unknown: abort on parser failure · 903e58a7
      John Johansen authored 
      If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.

Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0

Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```

After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```

And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```

(cherry picked from commit 5053a01d)

This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.

I propose this patch for 3.0 and all 2.x branches.

MR: !859

Approved-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
(cherry picked from commit c6324c2a

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      903e58a7
  11. 17 Jan, 2022 1 commit
  13. 30 Oct, 2021 1 commit
  15. 26 Aug, 2021 1 commit
  17. 20 Aug, 2021 1 commit
  19. 17 Aug, 2021 1 commit
  21. 13 Aug, 2021 1 commit
  23. 21 Jul, 2021 1 commit
  25. 14 Jul, 2021 1 commit
  27. 28 Jun, 2021 1 commit
  29. 24 May, 2021 1 commit
  31. 31 Mar, 2021 1 commit
  33. 16 Mar, 2021 1 commit
  35. 15 Mar, 2021 1 commit
  37. 14 Mar, 2021 3 commits
    • Mikhail Morfikov's avatar
      abstractions: Add missing rule in wutmp abstraction · b4d8b92e
      Mikhail Morfikov authored 
      Currently the wutmp abstraction has the following rules:
  /var/log/lastlog  rwk,
  /var/log/wtmp     wk,
  @{run}/utmp       rwk,

According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule?  The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.

Fixes: #152
MR: !724

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
(cherry picked from commit d4e0a945

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      b4d8b92e
    • John Johansen's avatar
      parser: fix backport of MR700 · 2baa01bd
      John Johansen authored 
      The backport of
  855dbd4a parser: fix rule downgrade for unix rules

using the rule_t::warn_once which doesn't exist in the 2.x parser
series. Switch this the the static function warn_once.

8b481b5f

 parser: fix rule downgrade for unix rules
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      2baa01bd
    • John Johansen's avatar
      parser: fix rule downgrade for unix rules · 8b481b5f
      John Johansen authored 
      Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.

  Eg. On a kernel that doesn't support fine grained af_unix mediation
      but does support network mediation.

        unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

      will be downgraded to

        network unix type=stream,

Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.

  Eg.
        deny unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

      will be downgraded to

        deny network unix type=stream,

and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.

To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: !700

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
(cherry picked from commit 855dbd4a

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      8b481b5f
  39. 12 Feb, 2021 2 commits
    • Rose Kunkel's avatar
      Fix nscd conflict with systemd-homed · 7d196223
      Rose Kunkel authored 
      My main user account is managed by systemd-homed. When I enable
AppArmor and have nscd running, I get inconsistent behavior with my
user account - sometimes I can't log in, sometimes I can log in but
not use sudo, etc.

This is the output of getent passwd:
  $ getent passwd
  root:x:0:0::/root:/usr/bin/zsh
  bin:x:1:1::/:/sbin/nologin
  daemon:x:2:2::/:/sbin/nologin
  mail:x:8:12::/var/spool/mail:/sbin/nologin
  ftp:x:14:11::/srv/ftp:/sbin/nologin
  http:x:33:33::/srv/http:/sbin/nologin
  nobody:x:65534:65534:Nobody:/:/sbin/nologin
  dbus:x:81:81:System Message Bus:/:/sbin/nologin
  [...]
  rose:x:1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh

But getent passwd rose and getent passwd 1000 both return no output.
Stopping nscd.service fixes these problems. Checking the apparmor
logs, I noticed that nscd was denied access to
/etc/machine-id. Allowing access to that file seems to have fixed the
issue.

MR: !707
Fixes: #145

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
(cherry picked from commit ee5303c8

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      7d196223
    • Seth Arnold's avatar
      profiles: firefox Add support for widevine DRM · 678271e1
      Seth Arnold authored 
      Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:

Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert
...

Fixes: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1777070

Reported-by: default avatarXav Paice <xav.paice@canonical.com>
MR: !684

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie's avatarSteve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 656f2103

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      678271e1
  41. 11 Feb, 2021 1 commit
  43. 11 Dec, 2020 1 commit
  45. 28 Nov, 2020 1 commit
  47. 17 Nov, 2020 1 commit
  49. 03 Nov, 2020 1 commit
  51. 01 Nov, 2020 2 commits
  53. 26 Oct, 2020 2 commits
    • Vincas Dargis's avatar
      dovecot: allow reading dh.pem · 081717cd
      Vincas Dargis authored 
      Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```

This results in fatal error:

```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```

Add rule to allow reading dh.pem.

MR: !671
(cherry picked from commit 9d8e111a

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      081717cd
    • Vincas Dargis's avatar
      dovecot: allow kill signal · f566d8b3
      Vincas Dargis authored 
      Dovecot might try to kill related processes:

```
type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/auth"

type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3"

type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED"
operation="signal" profile="dovecot" pid=31632 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3-login"
```
This discovered on low-power high-load machine (last resort timeout
handling?).

Update signal rule to allow SIGKILL.

MR: !671
(cherry picked from commit 2f9d172c

)
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      f566d8b3
  55. 15 Oct, 2020 1 commit
  57. 09 Oct, 2020 3 commits
  59. 03 Oct, 2020 2 commits
  61. 29 Sep, 2020 2 commits