crypto allows reading /etc/gcrypt/random.conf, which is possibly needed
for all programs that use libgcrypt.

Reported by darix, he has seen it with vivaldi.

Cryptographic libraries that have had FIPS 140-2 patches applied with
read from and validate themselves against a validation file, which is in
the same directory as the library itself. As an example, A FIPS 140-2
version libgcrypt on x86-64 has the following shared library and hmac file:

  /lib/x86_64-linux-gnu/libgcrypt.so.20.2.1
  /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac

A similarly named version of libgcrypt + hmac file can be seen for SUSE
systems in:

  https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2464.pdf

and Red Hat:

  https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2657.pdf



The libraries provided by FIPS 140-2 compliant versions of OpenSSL also
include this.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: !595

The authentication, base and nameservice abstraction used /{usr/,}etc/
in several rules. Switch that to the more readable (and tunable)
@{etc_ro} variable.

This matches what we use in the profiles for local abstractions.

Also adjust the check in the Makefile to expect the variant without '#'.

Tag profiles and abstractions with abi information.

Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.

We do not currently tag the tunables because variable declarations
are not currently affected by abi.

MR: !491

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>

Signed-off-by: nl6720 <nl6720@gmail.com>

References: http://bugzilla.opensuse.org/show_bug.cgi?id=1161756

/run/uuidd/request is hardcoded in libuuid from util-linux and uuidd
listens on this socket to provide random and time-based UUIDs in a
secure manner (man 8 uuidd). Some applications (eg, python's uuid)
prefer to use this socket, falling back to getrandom(), /dev/urandom,
etc. Eg:

$ strace -f aa-exec -p test -- \
  python3 -c 'import uuid ; print("%s\n" % str(uuid.uuid1()))'
...
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = -1 EACCES (Permission denied)
getrandom("\x8e\x89\xa5\xe7\x39\x1b", 6, GRND_NONBLOCK) = 6
...

uuidd itself produces random numbers using getrandom() and
/dev/{,u}random (falling back to time-based if not), which are already
allowed in the base abstraction. The uuidd daemon, when available, runs
unprivileged under a dedicated user, so allowing read-only access to
/run/uuidd/request is reasonable.

References:
- https://launchpad.net/bugs/1848919

For example, VirtualBox guests have /usr/lib/VBoxOGL.so.

Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:

  ImportError: libGL.so.1: failed to map segment from shared object

… and the system logs have:

  apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.

So let's not assume all libraries have a name that starts with "lib".

Local policy may want to extend or override abstractions, so add support for including local updates to them.
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: intrigeri <intrigeri@boum.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Commit aa065287 made @{sys} tunable
available by default.

Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).

Closes LP#1728551

Fix denies for latest Thunderbird and Firefox on Debian Sid due to
missing access to /etc/ld.so.conf and /etc/ld.so.conf.d/*.

/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
  (see systemd-cat(1)).

In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
Signed-off-by: Jamie Strandboge <jamie@canonical.com>

glibc implements this by doing a readdir() and filtering.
We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is
basically a read from /sys/devices/system/cpu/online.
Signed-off-by: Simon McVittie <smcv@collabora.com>

Acked-by: Seth Arnold <seth.arnold@canonical.com>

This should solve the "overlapping rules with conflicting 'x'
modifiers" problem (introduced with r3594) entirely.

The other options I could think of were:

 * ix → Pix, adjust all profiles that do 'ix' accordingly, and leave
   alone those that do Pix already; downsides: requires updating quite
   a few profiles all around the place, and breaks a mere "file," rule;

 * ix → Pix, adjust all profiles that do 'ix' accordingly, and change
   the "file," rule semantics to imply Pix; downside: very intrusive,
   and likely to break random existing policy in ways that are hard
   to predict;

 * stick to ix, and adjust all profiles that do anything else with
   overlapping rules, to do ix instead; downside: in some cases this means
   removing the 'P' modifier, which can cause regressions in how we confine
   stuff.

I've looked up in the bzr history to understand why execution rights
would be needed, and… the answer predates the move to bzr.
Looking into the SVN history, if it's even available anywhere, is
a bit too much for me, so I've tested this change and the few
applications I've tried did not complain. Of course, more testing will
be needed.

It simply breaks too much stuff, such as a mere "file," rule.

Having consistent x modifiers in this abstraction is needed
to allow profiles including abstractions/base to apply x rules
overlapping with several of the rules from the base abstraction.

E.g. one may need to have rules applying to /**, for example because
a mere "file," conflicts with the ix→Pix change I did in r3596.

abstractions/base: turn merged-/usr-enabled ix rules into Pix, to avoid conflicts with other profiles.

Example conflicts that are solved by this commit include:

 abstractions/ubuntu-helpers:
  /usr/{,local/}lib*/{,**/}* Pixr,

It causes conflicts in x modifiers when compiling usr.sbin.cupsd.

/usr/share/locale-bundle/ contains translations packaged in
bundle-lang-* packages in openSUSE.


Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9

 journal socket. On Debian and Ubuntu systems, /dev/log is a symlink to
 /run/systemd/journal/dev-log, so this access is now required in the base
 abstraction to maintain current behavior.
Bug: https://bugs.launchpad.net/apparmor/+bug/1413232

Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

 /proc/sys/kernel/cap_last_cap. This is needed to determine the highest valid
 capability of the running kernel. Reference:
 https://lkml.org/lkml/2011/10/15/42
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977

Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

getopt, setopt and shutdown. This was added based on incorrect logging in early
iterations of the abstract kernel patches which have since been fixed. These
options don't make sense with peer=(addr=none), so drop that.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

- the base abstraction for common abstract and anonymous rules (comments
  included per rule)
- dbus-session-strict to add a rule for connecting to the dbus session
  abstract
  socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
  explicit label if people preferred that
- X to add a rule for connecting to the X abstract socket. Same as for
  dbus-session-strict
- nameservice to add a rule for connecting to a netlink raw. This change could
  possibly be excluded, but applications using networking (at least on Ubuntu)
  all seem to need it. Excluding it would mean systems using nscd would need to
  add this and ones not using it would have a noisy denial
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

 - Allow reciprocal ptrace readby to everyone (requires peer unconfined or to
   ptrace read to us)
 - same for ptrace tracedby
 - allow us to ptrace read ourselves
 - receive all signals from unconfined
 - allow us to signal ourselves
 - allow sending and receiving "exists" (for pid existence)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

http://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11

Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>

This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>

Description: glibc's __get_nprocs() now checks /sys/devices/system/cpu/online
 in addition to /proc/stat for the number of processors. This is used in the
 _SC_NPROCESSORS_ONLN implementation, a part of sysconf. This was introduced in
 upstream glibc commit:
 http://repo.or.cz/w/glibc.git/patch/84e2a551a72c79b020694bb327e33b6d71b09b63
Bug-Ubuntu: https://launchpad.net/bugs/929531

Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>

Description: fix typo when adding multiarch lines for gconv
Bug-Ubuntu: https://launchpad.net/bugs/904548

Acked-by: Jamie Strandboge <jamie@canonical.com>

 Steve Langasek <steve.langasek@linaro.org>,
 Steve Beattie <sbeattie@ubuntu.com>
Description: add multiarch support to abstractions
Bug-Ubuntu: https://bugs.launchpad.net/bugs/736870

This patch add multiarch support for common shared library locations, as
well as a tunables file and directory to ease adding addiotional
multiarch paths.

Bug: https://launchpad.net/bugs/736870

update php5 abstraction, add more details to apache hat documentation, include a common apache2 abstraction for use with hats