- 10 Jan, 2021 5 commits
-
-
John Johansen authored
To get them running in the CI, * call them with `--configdir ./` * skip testing `aa-unconfined` if securityfs is not available MR: !696Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
... to increase test coverity of regex.py to 100%. MR: !695Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
... to ensure that it errors out if a wrong parameter type is given. This also increases the test coverage of ProfileList to 100%. MR: !694Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Add the BooleanRule and BooleanRuleset classes, add handling of boolean variable definitions in ProfileList and adjust `parse_profile_data()` to use BooleanRule. As usual, add tests for the added code. See the individual commits for the details. Note that this MR is also a bugfix - the previous code in (3.0 and master) saved boolean variables at a wrong place, and they were silently lost when writing the profile. MR: !693Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Fix comment in split_name() tests See merge request !692
-
- 25 Dec, 2020 9 commits
-
-
Christian Boltz authored
-
Christian Boltz authored
-
Christian Boltz authored
... by renaming them to test-*.py
-
Christian Boltz authored
... to increase test coverity of regex.py to 100%.
-
Christian Boltz authored
... to ensure that it errors out if a wrong parameter type is given. This also increases the test coverage of ProfileList to 100%.
-
Christian Boltz authored
... and save rules at the right place (ProfileList) where they actually get written when writing the profile. This is also a bugfix - the previous code saved boolean variables at a wrong place, and they were silently lost when writing the profile. Extend cleanprof_test.{in,out} to ensure that this doesn't break again. Also remove boolean_bad_[2-4] from the test-parser-simple-tests.py exception_not_raised list because these test profiles now get correctly detected as invalid.
-
Christian Boltz authored
This means adding the add_boolean() function and handling boolean variables in get_clean() and get_raw(). Also add some tests to cover the added code.
-
Christian Boltz authored
These two classes are meant to handle the definition of boolean rules like `$foo = true`. Also extend RE_PROFILE_BOOLEAN to provide named matches. As usual, add tests for the new classes.
-
Christian Boltz authored
-
- 11 Dec, 2020 3 commits
-
-
John Johansen authored
MR: !690Acked-by:
John Johansen <john.johansen@canonical.com>
-
zt1024 authored
3.0 added the ability to extract and use the kernels cap mask to augment its internal capability list as a stop gap measure to support new capabilities. Unfortunately not all kernel export the cap/mask and this is causing the policy compile to fail. If the kernel doesn't export a cp/mask just use the internal list. Fixes: #140 MR: !691Signed-off-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
libraries/libapparmor/swig/python/Makefile.am: Add global LDFLAGS when building the python library. When only applying the custom PYTHON_LDFLAGS (which are in fact `python-config --ldflags`) distributions are unable to build the library with e.g. full RELRO. Closes #129 PR: !689Acked-by:
John Johansen <john.johansen@canonical.com>
-
- 09 Dec, 2020 1 commit
-
-
Christian Boltz authored
-
- 08 Dec, 2020 1 commit
-
-
David Runge authored
libraries/libapparmor/swig/python/Makefile.am: Add global LDFLAGS when building the python library. When only applying the custom PYTHON_LDFLAGS (which are in fact `python-config --ldflags`) distributions are unable to build the library with e.g. full RELRO. Fixes #129 Related to #138
-
- 02 Dec, 2020 2 commits
-
-
John Johansen authored
Keep library version bump in sync so that dev does not fall behind 3.0.x Signed-off-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
libapparmor on startup does detection of whether the new stacking proc interfaces are available and then store a var for which interface should be used. This avoids libapparmor needing to detect which interface to use on each proc based api call. Unfortunately if the domain is changed on the task via change_hat or change_profile and the proc interface is used after the domain change it is possible that access to the interface will be denied by policy. This is not a problem in and of it self except policy may have been created assuming the old interface. Fix this by adding a fallback that tries the old interface if we are using the new interface by default and the failure was due to an EACCES denial (policy based). Also refactor the code a bit so this retry is isolated to one function instead of adding it in two places. Fixes: #131 MR: !681Signed-off-by:
John Johansen <john.johansen@canonical.com> Acked-by:
Steve Beattie <steve.beattie@canonical.com>
-
- 01 Dec, 2020 5 commits
-
-
Steve Beattie authored
treewide: spelling fixes identified partially by codespell See merge request !687
-
Steve Beattie authored
Adjust function and variable names to spell separator correctly. Kept as a distinct change in case someone wants to cherrypick other fixes. Signed-off-by:
Steve Beattie <steve.beattie@canonical.com> Acked-by:
Christian Boltz <apparmor@cboltz.de> MR: !687
-
Steve Beattie authored
Kept separate from other fixes because conf file changes can cause problems for packagers. Signed-off-by:
Steve Beattie <steve.beattie@canonical.com> Acked-by:
Christian Boltz <apparmor@cboltz.de> MR: !687
-
Steve Beattie authored
Fix spelling errors in code strings. Some strings are translatable. This fixes are potentially user visible. Signed-off-by:
Steve Beattie <steve.beattie@canonical.com> Acked-by:
Christian Boltz <apparmor@cboltz.de> MR: !687
-
Steve Beattie authored
With the exception of the documentation fixes, these should all be invisible to users. Signed-off-by:
Steve Beattie <steve.beattie@canonical.com> Acked-by:
Christian Boltz <apparmor@cboltz.de> MR: !687
-
- 30 Nov, 2020 1 commit
-
-
John Johansen authored
If aa-notify races file rotation it may crash with a trace back to the log file being removed before the new one is moved into place. Traceback (most recent call last): File "/usr/sbin/aa-notify", line 570, in <module> main() File "/usr/sbin/aa-notify", line 533, in main for message in notify_about_new_entries(logfile, args.wait): File "/usr/sbin/aa-notify", line 145, in notify_about_new_entries for event in follow_apparmor_events(logfile, wait): File "/usr/sbin/aa-notify", line 236, in follow_apparmor_events if os.stat(logfile).st_ino != log_inode: FileNotFoundError: [Errno 2] No such file or directory: '/var/log/audit/audit.log' If we hit this situation sleep and then retry opening the logfile. Fixes: #130 MR: !688Signed-off-by:
John Johansen <john.johansen@canonical.com> Acked-by:
Christian Boltz <apparmor@cboltz.de>
-
- 28 Nov, 2020 4 commits
-
-
John Johansen authored
... instead of blindly adding them to the profile, and later crash (and/or cause parser errors) because they don't exist. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527 MR: !683Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
So far, aa-autodep "accidently" loaded the abstractions when parsing the existing profiles. Obviously, this only worked if there is at least one profile in the active or extra profile directory. Without any existing profiles, aa-autodep crashed with KeyError: '/tmp/apparmor.d/abstractions/base' Prevent this crash by explicitely loading the abstractions on start. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527 MR: !682Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The generated files are exactly the same, but the code is a bit more readable. Additional differences: * added test_gen_list() to verify the result of gen_list() * null_target has a non-empty value to avoid that it gets skipped in loops as empty value * invert_save has an additional entry for '' * copyright header added (based on git log of gen-xtrans.pl) MR: !673Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Since this option is mostly meant for testing, it will not show up in `--help`. `aa-notify` was the only tool that honored the `__AA_CONFDIR` env variable. Drop it in favor of the `--configdir` option. Note: Since we now pass `confdir=` to `init_aa()` (in most cases `None`), setting the default needs to be moved inside the function. Also use `--configdir` in the tests. See the individual commits for details. MR: !670Acked-by:
John Johansen <john.johansen@canonical.com>
-
- 17 Nov, 2020 1 commit
-
-
John Johansen authored
... (/var/cache/libx11/compose/\*), and deny any write attempts Reported by darix, https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams MR: !685Acked-by:
John Johansen <john.johansen@canonical.com>
-
- 16 Nov, 2020 1 commit
-
-
Christian Boltz authored
... (/var/cache/libx11/compose/*), and deny any write attempts Reported by darix, https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams
-
- 08 Nov, 2020 2 commits
-
-
Christian Boltz authored
... instead of blindly adding them to the profile, and later crash (and/or cause parser errors) because they don't exist. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
-
Christian Boltz authored
So far, aa-autodep "accidently" loaded the abstractions when parsing the existing profiles. Obviously, this only worked if there is at least one profile in the active or extra profile directory. Without any existing profiles, aa-autodep crashed with KeyError: '/tmp/apparmor.d/abstractions/base' Prevent this crash by explicitely loading the abstractions on start. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
-
- 01 Nov, 2020 2 commits
-
-
John Johansen authored
MR: !676Acked-by:
John Johansen <john.johansen@canonical.com>
-
John Johansen authored
This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations. Also fix conflicting hotkeys in utils de.po, id.po and sv.po. MR: !675Acked-by:
John Johansen <john.johansen@canonical.com>
-
- 31 Oct, 2020 3 commits
-
-
Christian Boltz authored
-
Christian Boltz authored
-
Christian Boltz authored
This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations.
-