GitLab

To get them running in the CI,

* call them with `--configdir ./`
* skip testing `aa-unconfined` if securityfs is not available

MR: !696Acked-by: John Johansen <john.johansen@canonical.com>

... to increase test coverity of regex.py to 100%.

MR: !695Acked-by: John Johansen <john.johansen@canonical.com>

... to ensure that it errors out if a wrong parameter type is given.

This also increases the test coverage of ProfileList to 100%.

MR: !694Acked-by: John Johansen <john.johansen@canonical.com>

Add the BooleanRule and BooleanRuleset classes, add handling of boolean variable definitions in ProfileList and adjust `parse_profile_data()` to use BooleanRule. As usual, add tests for the added code.

See the individual commits for the details.

Note that this MR is also a bugfix - the previous code in (3.0 and master) saved boolean variables at a wrong place, and they were silently lost when writing the profile.
MR: !693Acked-by: John Johansen <john.johansen@canonical.com>

Fix comment in split_name() tests

See merge request !692

... by renaming them to test-*.py

... to increase test coverity of regex.py to 100%.

... to ensure that it errors out if a wrong parameter type is given.

This also increases the test coverage of ProfileList to 100%.

... and save rules at the right place (ProfileList) where they actually
get written when writing the profile.

This is also a bugfix - the previous code saved boolean variables at a
wrong place, and they were silently lost when writing the profile.

Extend cleanprof_test.{in,out} to ensure that this doesn't break again.

Also remove boolean_bad_[2-4] from the test-parser-simple-tests.py
exception_not_raised list because these test profiles now get correctly
detected as invalid.

This means adding the add_boolean() function and handling boolean
variables in get_clean() and get_raw().

Also add some tests to cover the added code.

These two classes are meant to handle the definition of boolean rules
like `$foo = true`.

Also extend RE_PROFILE_BOOLEAN to provide named matches.

As usual, add tests for the new classes.

MR: !690Acked-by: John Johansen <john.johansen@canonical.com>

3.0 added the ability to extract and use the kernels cap mask
to augment its internal capability list as a stop gap measure to
support new capabilities.

Unfortunately not all kernel export the cap/mask and this is causing
the policy compile to fail. If the kernel doesn't export a cp/mask
just use the internal list.

Fixes: #140
MR: !691Signed-off-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/swig/python/Makefile.am: Add global LDFLAGS when building the python library. When only applying the custom PYTHON_LDFLAGS (which are in fact `python-config --ldflags`) distributions are unable to build the library with e.g. full RELRO.

Closes #129
PR: !689Acked-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/swig/python/Makefile.am:
Add global LDFLAGS when building the python library.
When only applying the custom PYTHON_LDFLAGS (which are in fact
`python-config --ldflags`) distributions are unable to build the library
with e.g. full RELRO.

Fixes #129
Related to #138

Keep library version bump in sync so that dev does not fall behind
3.0.x
Signed-off-by: John Johansen <john.johansen@canonical.com>

libapparmor on startup does detection of whether the new stacking
proc interfaces are available and then store a var for which interface
should be used. This avoids libapparmor needing to detect which interface
to use on each proc based api call.

Unfortunately if the domain is changed on the task via change_hat or
change_profile and the proc interface is used after the domain change
it is possible that access to the interface will be denied by policy.
This is not a problem in and of it self except policy may have been
created assuming the old interface.

Fix this by adding a fallback that tries the old interface if we
are using the new interface by default and the failure was due to
an EACCES denial (policy based).

Also refactor the code a bit so this retry is isolated to one function
instead of adding it in two places.

Fixes: #131
MR: !681Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>

treewide: spelling fixes identified partially by codespell

See merge request !687

Adjust function and variable names to spell separator correctly. Kept
as a distinct change in case someone wants to cherrypick other fixes.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: !687

Kept separate from other fixes because conf file changes can cause
problems for packagers.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: !687

Fix spelling errors in code strings. Some strings are translatable.
This fixes are potentially user visible.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: !687

With the exception of the documentation fixes, these should all be
invisible to users.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: !687

If aa-notify races file rotation it may crash with a trace back to
the log file being removed before the new one is moved into place.

    Traceback (most recent call last):
       File "/usr/sbin/aa-notify", line 570, in <module>
         main()
       File "/usr/sbin/aa-notify", line 533, in main
          for message in notify_about_new_entries(logfile, args.wait):
       File "/usr/sbin/aa-notify", line 145, in notify_about_new_entries
         for event in follow_apparmor_events(logfile, wait):
       File "/usr/sbin/aa-notify", line 236, in follow_apparmor_events
         if os.stat(logfile).st_ino != log_inode:
    FileNotFoundError: [Errno 2] No such file or directory: '/var/log/audit/audit.log'

If we hit this situation sleep and then retry opening the logfile.

Fixes: #130
MR: !688Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>

... instead of blindly adding them to the profile, and later crash (and/or cause parser errors) because they don't exist.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
MR: !683Acked-by: John Johansen <john.johansen@canonical.com>

So far, aa-autodep "accidently" loaded the abstractions when parsing the existing profiles. Obviously, this only worked if there is at least one profile in the active or extra profile directory.

Without any existing profiles, aa-autodep crashed with KeyError: '/tmp/apparmor.d/abstractions/base'

Prevent this crash by explicitely loading the abstractions on start.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
MR: !682Acked-by: John Johansen <john.johansen@canonical.com>

The generated files are exactly the same, but the code is a bit more readable.

Additional differences:

* added test_gen_list() to verify the result of gen_list()
* null_target has a non-empty value to avoid that it gets skipped in loops as empty value
* invert_save has an additional entry for ''
* copyright header added (based on git log of gen-xtrans.pl)

MR: !673Acked-by: John Johansen <john.johansen@canonical.com>

Since this option is mostly meant for testing, it will not show up in `--help`.

`aa-notify` was the only tool that honored the `__AA_CONFDIR` env variable. Drop it in favor of the `--configdir` option.

Note: Since we now pass `confdir=` to `init_aa()` (in most cases `None`), setting the default needs to be moved inside the function.

Also use `--configdir` in the tests.

See the individual commits for details.

MR: !670Acked-by: John Johansen <john.johansen@canonical.com>

... (/var/cache/libx11/compose/\*), and deny any write attempts

Reported by darix, https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams

MR: !685Acked-by: John Johansen <john.johansen@canonical.com>

... (/var/cache/libx11/compose/*), and deny any write attempts

Reported by darix,
https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams

... instead of blindly adding them to the profile, and later crash
(and/or cause parser errors) because they don't exist.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]

So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.

Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'

Prevent this crash by explicitely loading the abstractions on start.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]

MR: !676Acked-by: John Johansen <john.johansen@canonical.com>

This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations.

Also fix conflicting hotkeys in utils de.po, id.po and sv.po.

MR: !675Acked-by: John Johansen <john.johansen@canonical.com>

This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.