GitLab

This test uses unix_fd_server to open a file and pass
its file descriptor to the attach_disconnected tests, which
then mounts, pivots root and then tries to open the file.

Since the server execs the client, this MR also inverts the order
of the parameters to allow the server to forward the client's args
along with the unix_socket path.

I'm also refactoring out the unix_fd_client logic into unix_fd_common,
so we can use this implementation when creating other clients, which is the case
for the test binary attach_disconnected

MR: !810

Acked-by: Approved-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>

This test uses unix_fd_server to open a file and pass
its file descriptor to the attach_disconnected tests, which
then mounts, pivots root and then tries to open the file.

Since the server execs the client, this commit also inverts the order
of the parameters to allow the server to forward the client's args
along with the unix_socket path.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: apparmor/apparmor!810

Acked-by: John Johansen <john.johansen@canonical.com>

The code from unix_fd_client can be used by other clients which
will receive the fd of a file using SCM rights.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: apparmor/apparmor!810

Acked-by: John Johansen <john.johansen@canonical.com>

The file query test on query_label.sh fails on kernels
before 4.4 because of the lack of support. Since there
is no feature file to examine for this feature, we
needed to check for the kernel version. Refer to [qa-regression-testing](https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py#n1653).

As discussed on !767, we might need a more complicated test than
only checking for the kernel version, since this feature might
be available in out-of-tree Ubuntu kernels such as saucy (3.13).

MR: !769

Acked-by: John Johansen <john@jjmx.net>

Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:

audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.

Bug: https://launchpad.net/bugs/1794064

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: !806

Acked-by: John Johansen <john@jjmx.net>

GTK/QT apps need to read some config files in order to properly render their windows in a graphical session. There are some `qt5` abstractions already, but it looks like the `gtk` abstraction is missing.

The `*gtk*` rules are basically the location of the GTK config files I found on the internet when I was trying to compose this abstraction. Some of the paths are missing in Debian, but different distros can use (or were using) them. Since GTK apps use themes, the abstraction also include the whole `/usr/share/themes/` , `@{HOME}/.themes/` and `@{HOME}/.local/share/themes/` dirs. I'm not sure whether this should be tightened. The `.Xauthority` file is generally needed when you deal with GUI apps under Xserver. Also since all GUI apps redirect output/error to the `~/.xsession-errors` file, this file also was included here.

Fixes: #65
Fixes: #168
MR: !825

Acked-by: John Johansen <john.johansen@canonical.com>

The following files generated during the build were not ignored by git: aa_policy_cache at_secure dbus_common.o dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply fd_inheritance fd_inheritor introspect pivot_root query_label socketpair syscall_ioperm syscall_iopl transition unix_socket unix_socket_client unix_socket_common.o uservars.inc xattrs_profile

MR: !826

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

The Hack used to build the libapparmor swig interface for ruby fails
with ruby 3.1.  Instead of trying to do black magic in ruby to rename
the generated Makefile to Makefile.new, just save off the Makefile
and restore after ruby's setup has been called.

Fixes: apparmor/apparmor#206

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>

busybox xargs does not have -d nor long --max-procs options, instead use -0 (and separate arguments with printf "%s\\0") and -P which are more portable. While we are here, also add -r (--no-run-if-empty, which also has no long equivalent for busybox) as we likely don't want to run anything if no profile were found

This is useful for alpine systems where findutils is not installed by default, but busybox xargs is available.

MR: !828

Acked-by: John Johansen <john.johansen@canoical.com>

busybox xargs does not have -d nor long --max-procs options,
instead use -0 (and separate arguments with printf "%s\0")
and -P which are more portable.
While we are here, also add -r (--no-run-if-empty, which also has
no long equivalent for busybox) as we likely don't want to run
anything if no profile were found

This is useful for alpine systems where findutils is not installed by
default, but busybox xargs is available.

The following files generated during the build were not ignored by git:
  aa_policy_cache
  at_secure
  dbus_common.o
  dbus_eavesdrop
  dbus_message
  dbus_service
  dbus_unrequested_reply
  fd_inheritance
  fd_inheritor
  introspect
  pivot_root
  query_label
  socketpair
  syscall_ioperm
  syscall_iopl
  transition
  unix_socket
  unix_socket_client
  unix_socket_common.o
  uservars.inc
  xattrs_profile
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

This fixes a crash when a profile name contains a \n character which
breaks profile name parsing. The fix is minimal in that it ignores
the bad profile name and continues processing.

Ideally this name would not exist and is indicative of a bug in the kernel.

Fixes: #211
MR: !824

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>

abstractions/samba: allow ldb2 paths

See merge request !821

Note: https://bugzilla.opensuse.org/show_bug.cgi?id=1192684

 was made public in the meantime.
Acked-by: Jon Tourville <jon.tourville@canonical.com>

These directories were introduced in openssl in https://patchwork.ozlabs.org/project/openwrt/patch/20210429153530.10020-2-cotequeiroz@gmail.com/

I propose this patch for 3.0 and master. Optionally also for older branches, even if it's unlikely that systems using 2.13.x or older get a new-enough openssl to need this ;-)

MR: !818

Acked-by: John Johansen <john.johansen@canonical.com>

libldb packaging in openSUSE changes to use "ldb2" in the path, adjust
the abstraction accordingly.

Patch by Samuel Cabrero <scabrero@suse.de>
via https://build.opensuse.org/request/show/947009

References:
- https://bugzilla.opensuse.org/show_bug.cgi?id=1192684 (non-public)
- https://build.opensuse.org/request/show/946250 (ldb packaging change)
- https://build.opensuse.org/request/show/946251 (samba packaging change)

Define @{HOMEDIRS} before using it in @{HOME}

See merge request !820

Acked-by: Georgia Garcia  <georgia.garcia@canonical.com>

The old order is not really wrong / a bug because the order doesn't
matter, but defining the variables it in the "right" order helps to
prevent confusion.

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003158

profiles/apparmor.d: Fix file_mmap violation for bsc#1192336.

See merge request !819

Acked-by: Christian Boltz <apparmor@cboltz.de> for 3.0 and master

- Fix 'apparmor="DENIED" operation="file_mmap" profile="samba-bgqd"
      name="/usr/lib64/samba/samba-bgqd" pid=2876 comm="samba-bgqd"
      requested_mask="m" denied_mask="m" fsuid=0 ouid=0'

entries appearing in SLE15-SP4
Signed-off-by: Noel Power <noel.power@suse.com>

These directories were introduced in openssl in
https://patchwork.ozlabs.org/project/openwrt/patch/20210429153530.10020-2-cotequeiroz@gmail.com/

Change 'aa' from hasher to dict

See merge request !817

Acked-by: Jon Tourville <jon.tourville@canonical.com>

abstractions/python: merge /usr/ and /usr/local/ rules, and add some new rules

See merge request !814

Acked-by: Georgia Garcia <georgia.garcia@canonical.com>

If there's still some code left that tries to access an uninitialized
item in 'aa' (reading or writing), this will result in a very visible
crash instead of silently seeming to work.

Testing shows that we seem to correctly initialize each item in 'aa' (no
crashes), therefore let's hope the best ;-)

Fix comment typo in parser/lib.c

See merge request !815

Acked-by: Jon Tourville <jon.tourville@canonical.com>

- allow reading *.so.*
- allow directory listings in .../site-packages/
- allow reading various metadata files

These additions are based on denials seen on openSUSE Leap 15.3 with
python 3.9.

This keeps all existing permissions, and adds a few that were out of
sync:
- /usr/lib*/python3.*/lib-dynload/*.so missed 3.1[0-9]
- /usr/lib/python3/... was missing, only /usr/local/python3/ was allowed

Adds python3 setuptools as a build dependency for libapparmor

Fixes: #202
MR: !813

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>

Both aarch64 and s390x have a bigger wtmp record size (16 bytes more than x86_64, 400 bytes total).

The byte position of the timestamp is also different on each architecture. To make things even more interesting, s390x is big endian.

Note that this MR includes more things, like
* moving `get_last_login_timestamp()` to the new `apparmor/notify.py` file
* add unit tests for it
* add wtmp example files from various architectures, including a hand-edited one claiming to be from 1999
* fixing a bug in `get_last_login_timestamp()` that unpacked `type` from too many bytes - which accidently worked on x86_64
* detecting from which architecture the wtmp file comes (luckily the timestamps are located at different locations)

See the individual commits for details.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1181155
MR: !809

Acked-by: John Johansen <john.johansen@canonical.com>

Fixes: #203

MR:!811

Acked-by: John Johansen <john.johansen@canonical.com>

Fixes: #203

Ensure that pre-2000 and post-2050 dates get rejected, and something in
between gets accepted.

This also extends coverage to 100% - before, the post-2050 branch was
not covered.

A too-small file can't contain something useful.

Also, a wtmp file with a timestamp from pre-2000 is beyond what you'd
expect on a 2021 system.

Both aarch64 and s390x have a bigger wtmp record size (16 bytes more
than x86_64, 400 bytes total).

The byte position of the timestamp is also different on each
architecture. To make things even more interesting, s390x is big endian.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1181155

'type' is a short (see "ut_type" in wtmp(5)), therefore only read two
bytes and unpack them as short. Afterwards read two padding bytes to
/dev/null.

This accidently worked on x86_64 because it's little endian, but will
fail on big endian architectures.

... starting with a x86_64 wtmp example file

This is a preparation to make adding tests easier.

This adds a base_af_names.h file similar to base_cap_names.h to support newer address families in policy when built against older headers.

Fixes: #195
MR: !808

Acked-by: John Johansen <john.johansen@canonical.com>