1. 30 Jan, 2023 2 commits
  2. 29 Jan, 2023 3 commits
  3. 25 Jan, 2023 1 commit
  4. 24 Jan, 2023 4 commits
    • John Johansen's avatar
      Merge Fix: Opening links with Brave · 5fd8c257
      John Johansen authored
      Resolves #292.
      
      This fix is the same as !830 but for Brave.
      Opening links in Brave now works as intended.
      
      Note that now a separate denial is caused, related to WidevineCDM, is produced:
      ```
      [ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
      ```
      
      In the syslog:
      ```
      audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
      ```
      
      I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.
      
      If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
      ```
      audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21  capname="sys_admin"
      ```
      which is fine, as mentioned by @jjohansen [here](!830 (comment 831915024)).
      
      Closes #292
      MR: !957
      
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      5fd8c257
    • John Johansen's avatar
      Merge libapparmor: add scanner support for dbus method · a96fa35b
      John Johansen authored
      In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs.
      So we are adding support to parse "method" the same way as "member" on D-Bus audit logs.
      
      MR: !958
      
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      a96fa35b
    • John Johansen's avatar
      Merge Extend crypto and ssl_certs abstractions · bb30df78
      John Johansen authored
      - ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
      - crypoto: allow reading /etc/gcrypt/hwf.deny
      
      I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).
      
      MR: !961
      
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      bb30df78
    • John Johansen's avatar
      Merge parser: send key as integer on the dfa of sysv mqueue · 0ac38782
      John Johansen authored
      The key of SYSV message queues is an integer and the kernel uses an
      integer to store the key. In order to improve performance when
      travelling the DFA in the kernel, we should use an integer instead of
      the string.
      
      This [patch](georgiag/apparmor-kernel@5501f45f) contains a rough implementation of what that would look like on the kernel side
      
      MR: !968
      
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      0ac38782
  5. 23 Jan, 2023 2 commits
  6. 22 Jan, 2023 1 commit
  7. 17 Jan, 2023 1 commit
  8. 12 Jan, 2023 1 commit
  9. 11 Jan, 2023 3 commits
  10. 07 Jan, 2023 1 commit
  11. 06 Jan, 2023 1 commit
    • Georgia Garcia's avatar
      tests: add dbus-broker support on regression tests · 790b17e1
      Georgia Garcia authored
      
      
      DBus Broker was enabled for the dbus_message and dbus_service
      regression tests.
      
      The dbus_eavesdropping test does not run with dbus-broker because
      eavesdropping was deprecated in favor or monitoring, so new tests for
      the "BecomeMonitor" method need to be added.
      
      The dbus_unrequested_reply test is also not supported by dbus-broker,
      therefore the tests are skipped.
      
      Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      790b17e1
  12. 05 Jan, 2023 1 commit
  13. 04 Jan, 2023 4 commits
    • Georgia Garcia's avatar
      tests: fix profile generation for dbus test · c42efa51
      Georgia Garcia authored
      
      
      The test "eavesdrop (confined w/o dbus perms)" was failing for the
      wrong reason. While it should fail because it is missing dbus rules, it
      was actually failing because it didn't have the required unix rule.
      
      The error message was:
      "FAIL: Failed to open connection to "session" message bus: Failed to open socket: Permission denied"
      
      Corresponding audit log:
      [28306.743863] audit: type=1400 audit(1671048091.505:297): apparmor="DENIED" operation="create" class="net" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" pid=6787 comm="dbus_eavesdrop" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
      
      After the change, the error message is:
      FAIL: Failed to open connection to "session" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
      
      Corresponding audit log:
      [28444.248268] audit: type=1107 audit(1671048229.009:300): pid=6826 uid=0 auid=1000 ses=5 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6854 label="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
      
      Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      c42efa51
    • Georgia Garcia's avatar
      tests: add write permission to output on dbus test profile · 8d3aab97
      Georgia Garcia authored
      
      
      The profile generated by dbus did not include this rule
      which caused the following DENIED audit logs:
      
      [26937.013475] audit: type=1400 audit(1671046721.776:246): apparmor="DENIED" operation="getattr" class="file" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_message" name="/tmp/sdtest.5720-14413-VQMPsH/output.dbus_message" pid=5866 comm="dbus_message" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
      
      Signed-off-by: Georgia Garcia's avatarGeorgia Garcia <georgia.garcia@canonical.com>
      8d3aab97
    • John Johansen's avatar
      Merge aa-status: Fix malformed json output with unconfined processes · dfc9847f
      John Johansen authored
      As reported in issue #295
      
      , the json output from aa-status would be invalid if
      there were profiles defined for processes that were unconfined. Fix this by
      ensuring the json for the processes array is closed properly.
      
      Signed-off-by: Alex Murray's avatarAlex Murray <alex.murray@canonical.com>
      
      MR: !964
      
      
      Approved-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      Merged-by: John Johansen's avatarJohn Johansen <john@jjmx.net>
      dfc9847f
    • Alex Murray's avatar
      aa-status: Fix malformed json output with unconfined processes · 22aa9b61
      Alex Murray authored
      As reported in issue #295
      
      , the json output from aa-status would be invalid if
      there were profiles defined for processes that were unconfined. Fix this by
      ensuring the json for the processes array is closed properly.
      
      Signed-off-by: Alex Murray's avatarAlex Murray <alex.murray@canonical.com>
      22aa9b61
  14. 03 Jan, 2023 3 commits
  15. 17 Dec, 2022 1 commit
  16. 16 Dec, 2022 4 commits
  17. 15 Dec, 2022 1 commit
  18. 12 Dec, 2022 1 commit
  19. 10 Dec, 2022 2 commits
  20. 05 Dec, 2022 2 commits
  21. 30 Nov, 2022 1 commit
    • Christian Boltz's avatar
      Simplify FileRule perms_with_a() · b9997473
      Christian Boltz authored
      ... by returning early if there's nothing to do.
      
      The main improvement is more readable code, but there should also be a
      minor performance improvement.
      b9997473