Recently got bitten by `usr.sbin.lighttpd` not having the local include, so I figured I'd bring all the `extras/` profiles up to parity.

MR: !974


Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>

* Improve utils hotkey handling
* Ensure all languages are always tested and all subprocesses run successfully.

Picked from !966 (by Mark Grassi) so that code and translation changes are in separate MRs.

MR: !971


Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>

Mark Grassi authored Jan 23, 2023 and Christian Boltz committed Jan 29, 2023

Ensure all languages are always tested and all subprocesses run successfully.

Signed-off-by: John Johansen <john.johansen@canonical.com>

Resolves #292.

This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.

Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```

In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```

I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.

If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21  capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](!830 (comment 831915024)).

Closes #292
MR: !957


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs.
So we are adding support to parse "method" the same way as "member" on D-Bus audit logs.

MR: !958


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny

I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).

MR: !961


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

The key of SYSV message queues is an integer and the kernel uses an
integer to store the key. In order to improve performance when
travelling the DFA in the kernel, we should use an integer instead of
the string.

This [patch](georgiag/apparmor-kernel@5501f45f) contains a rough implementation of what that would look like on the kernel side

MR: !968


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

Fixes: https://bugs.launchpad.net/bugs/2003702

MR: !970


Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

Adrian Heine authored Jan 23, 2023 and Christian Boltz committed Jan 23, 2023

Fixes: https://bugs.launchpad.net/bugs/2003702

Waydroid uses LXC and some lxc-net equivalent scripts. Allow that.

https://github.com/waydroid/waydroid/blob/b910c891740026aeba2cd6a86f93ca87ef57e3c6/data/scripts/waydroid-net.sh
https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues

MR: !969


Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>

Waydroid uses LXC and some lxc-net equivalent scripts. Allow that.

https://github.com/waydroid/waydroid/blob/b910c891740026aeba2cd6a86f93ca87ef57e3c6/data/scripts/waydroid-net.sh
https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues



Signed-off-by: Cameron Nemo <cam@nohom.org>

MR: !967


Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>

The key of SYSV message queues is an integer and the kernel uses an
integer to store the key. In order to improve performance when
travelling the DFA in the kernel, we should use an integer instead of
the string.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

The mqueue tests were using the previous format which was specific for
capabilities. The qual= prefix should be used instead.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

dbus-broker requires some modification of the test suite. In summary:

* refactor to support starting and stopping both dbus and dbus-broker.
* Make it so we can run the tests on each, where appropriate
* skip unrequested reply and eavesdrop tests for dbus broker because they are not supported.

MR: !965


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

DBus Broker was enabled for the dbus_message and dbus_service
regression tests.

The dbus_eavesdropping test does not run with dbus-broker because
eavesdropping was deprecated in favor or monitoring, so new tests for
the "BecomeMonitor" method need to be added.

The dbus_unrequested_reply test is also not supported by dbus-broker,
therefore the tests are skipped.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Commit 8cf3534a ("tests regression: fix failure on older versions of
Make") from !639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.

Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.

Fixes: 8cf3534a

 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

MR: !963


Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

The test "eavesdrop (confined w/o dbus perms)" was failing for the
wrong reason. While it should fail because it is missing dbus rules, it
was actually failing because it didn't have the required unix rule.

The error message was:
"FAIL: Failed to open connection to "session" message bus: Failed to open socket: Permission denied"

Corresponding audit log:
[28306.743863] audit: type=1400 audit(1671048091.505:297): apparmor="DENIED" operation="create" class="net" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" pid=6787 comm="dbus_eavesdrop" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none

After the change, the error message is:
FAIL: Failed to open connection to "session" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

Corresponding audit log:
[28444.248268] audit: type=1107 audit(1671048229.009:300): pid=6826 uid=0 auid=1000 ses=5 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6854 label="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

The profile generated by dbus did not include this rule
which caused the following DENIED audit logs:

[26937.013475] audit: type=1400 audit(1671046721.776:246): apparmor="DENIED" operation="getattr" class="file" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_message" name="/tmp/sdtest.5720-14413-VQMPsH/output.dbus_message" pid=5866 comm="dbus_message" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

As reported in issue #295

, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: !964


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

As reported in issue #295

, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

getopt returns an int, not a char.
Error caused by this issue could only be observed on non-x86 systems.
Closes LP#2000359

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: !962


Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Steve Beattie <gitlab@nxnw.org>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>

Commit 8cf3534a ("tests regression: fix failure on older versions of
Make") from !639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.

Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.

Fixes: 8cf3534a

 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

getopt returns an int, not a char.
Error caused by this issue could only be observed on non-x86 systems.
Closes LP#2000359

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny

small fixes on log parsing

MR: !959


Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>

Add support to parse "method" the same way as "member" on
D-Bus audit logs.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

The AppArmorBug exception was missing the variable from the message

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

If the "operation" field is not present, we get the following error:
AttributeError: 'NoneType' object has no attribute 'startswith'

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

... by returning early if there's nothing to do.

The main improvement is more readable code, but there should also be a
minor performance improvement.

MR: !955


Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>

States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.

This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.

Fixes: 16b67ddb ("add ability to use out of band transitions"
Closes: #290


Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #290
MR: !956


Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>

States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.

This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.

Fixes: 16b67ddb ("add ability to use out of band transitions"
Closes: #290


Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

This reverts commit 1aa474b2

.

This is a debug patch that unconditionally sets a profile debug flag
if mqueue rules are present. It should not be present in merged
code, and instead the user should set a debug flag on the profile if
that is desired.

This was merged with the patch to expedite the MR with the understanding
that this patch would be reverted.

Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: !858


Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

... by returning early if there's nothing to do.

The main improvement is more readable code, but there should also be a
minor performance improvement.