1. 13 Sep, 2018 1 commit
  2. 19 Jan, 2018 1 commit
    • intrigeri's avatar
      Install pam_apparmor.so with write permission for its owner. · 6ab19ea8
      intrigeri authored
      I could not find the reason why the upstream Makefile has been installing it
      with permissions 555: this predates the migration from SVN.
      
      Regardless, at least on Debian and derivatives, dh_fixperms has been
      changing these permissions to 755 forever so it was causing problems,
      likely we would know about it by now.
      
      The initial motivation for this change is supporting rootless builds on Debian
      and derivatives, also known as "Rules-Requires-Root:  no":
      
       - /usr/share/doc/dpkg-dev/rootless-builds.txt* on a Debian system
         with a sufficiently recent dpkg-dev installed
       - https://nthykier.wordpress.com/2017/10/29/building-packages-without-fakeroot/
       - https://lists.debian.org/debian-devel/2017/10/msg00520.html
      
      With this change applied upstream, Debian-based downstreams don't need to adjust
      their debian/rules to make this work with "Rules-Requires-Root: no":
      
      	chrpath -d $(CURDIR)/debian/tmp/lib/security/pam_apparmor.so
      6ab19ea8
  3. 01 Nov, 2017 1 commit
  4. 19 Jan, 2017 1 commit
  5. 10 Dec, 2016 1 commit
    • Steve Beattie's avatar
      build: make documentation at tarball creation time, not during build · 10639628
      Steve Beattie authored
      The latex based techdoc in the parser/ tree adds a number of build
      dependencies for downstreams to create it; it also is the primary
      element to make the builds unrepeatable. Creating the techdoc and other
      documentation when generating a tarball for distribution avoids all
      that.
      
      * Makefile: build documentation as part of the tarball creation. Skip
        the libraries/libapparmor directory as it needs to have configure run
        before the manpages can be made.
      * changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile,
        utils/Makefile, profiles/Makefile: create separate docs target,
        some of them dummies.
      * parser/Makefile: pull the techdoc out of the default build target, add
        an extra_docs target to create it.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: Christian Boltz's avatarChristian Boltz <apparmor@cboltz.de>
      10639628
  6. 24 Jun, 2016 1 commit
  7. 01 Feb, 2016 1 commit
  8. 10 Jun, 2015 1 commit
  9. 10 Feb, 2015 1 commit
  10. 30 Jan, 2015 1 commit
  11. 23 Jan, 2015 1 commit
  12. 08 Dec, 2014 1 commit
  13. 09 Oct, 2014 1 commit
  14. 02 Oct, 2014 1 commit
  15. 15 Sep, 2014 1 commit
    • Steve Beattie's avatar
      manpages: incorporate podchecker; fix errors and (most) warnings · c48d7dc7
      Steve Beattie authored
      This patch adds a 'check_pod_files' make target to the common make
      rules, and then fixes the errors it highlighted as well as most of
      the warnings. It will cause 'make check' in most of the directories to
      fail if there are errors in a pod file (but not if there are warnings).
      
      Common issues were:
      
        - using an '=over/=back' pair for code-like snippets that did not
          contain any =items therein; the =over keyword is intended for
          indenting lists of =item entries, and generates a warning if
          there isn't any.
      
        - not escaping '<' or '>'
      
        - blank lines that contained spaces or tabs
      
      The second -warnings flag passed to podchecker is to add additional
      warnings, un-escaped '<' and '>' being of them.
      
      I did not fix all of the warnings in apparmor.d.pod, as I have not come
      up with a good warning-free way to express the BNF of the language
      similar in format to what is currently generated. The existing
      libapparmor warnings (complaints about duplicate =item definition
      names) are actually a result of passing the second -warnings flag.
      The integration into libapparmor is suboptimal due to automake's
      expectation that there will be a test driver program(s) for make check
      targets; that's why I added the podchecker call to the manpage
      generation point.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarSeth Arnold <seth.arnold@canonical.com>
      ---
       changehat/mod_apparmor/Makefile         |    3 
       changehat/mod_apparmor/mod_apparmor.pod |   28 ++-
       common/Make.rules                       |    4 
       libraries/libapparmor/doc/Makefile.am   |    7 
       parser/Makefile                         |    2 
       parser/apparmor.d.pod                   |  275
      +++++++++++++-------------------
       utils/Makefile                          |    3 
       utils/aa-cleanprof.pod                  |    2 
       utils/aa-complain.pod                   |    2 
       utils/aa-decode.pod                     |    2 
       utils/aa-easyprof.pod                   |   69 +++-----
       utils/aa-enforce.pod                    |    2 
       utils/aa-genprof.pod                    |    2 
       utils/aa-logprof.pod                    |    6 
       utils/aa-sandbox.pod                    |   64 ++-----
       utils/logprof.conf.pod                  |    2 
       utils/vim/Makefile                      |    2 
       17 files changed, 212 insertions(+), 263 deletions(-)
      c48d7dc7
  16. 09 Jul, 2014 1 commit
  17. 08 Jul, 2014 4 commits
    • Steve Beattie's avatar
      mod_apparmor: whitespace cleanups · c42bc173
      Steve Beattie authored
      This patch is cosmetic; it cleans up a lot of whitespace issues:
      removing trailing spaces, converting tabs into spaces, and removing
      unneeded spaces around function arguments.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      c42bc173
    • Steve Beattie's avatar
      mod_apparmor: remove immunixisms from code · 495b4c2c
      Steve Beattie authored
      This patch is a cosmetic set of changes to remove references to immunix
      from the source code (except in the case of handling deprecated
      keywords), as well as correcting my email address.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      495b4c2c
    • Steve Beattie's avatar
      mod_apparmor: add 'servername-uri' hat · 8b79c9be
      Steve Beattie authored
      This patch adds an additional hat to try in the mod_apparmor processing
      sequence, constructed from the host's ServerName + '-' + URI
      (e.g. 'www.example.com-/some/uri'). This hat is attempted before the raw
      URI hat is attempted, leaving the ordering as follows:
      
        (1) to a hatname in a location/directory directive
        (2) to the server name or a defined per-server default
        (3) to the server name + "-" + uri
        (4) to the uri
        (5) to DEFAULT_URI
        (6) back to the parent profile
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      8b79c9be
    • Steve Beattie's avatar
      mod_apparmor: try uri hat after AADefaultHatName, not before · 37276435
      Steve Beattie authored
      In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
      the storage location for AADefaultHatName.  The incorrect storage
      caused the hat specified by the AADefaultHatName keyword to be the
      default value for AAHatName, and meant that if both an AAHatName and
      an AADefaultHatName entry were given in a vhost, mod_apparmor would
      not fall back to trying AADefaultHatName if the hat specified in
      AAHatName did not exist in the apache apparmor profile.
      
      However, because the value specified in AADefaultHatName was the
      default, if no AAHatName was specified, it would be attempted first,
      before a hat based on the passed URI, rather than after as the
      documentation stated and the code intended. By fixing the storage bug,
      the attempted hat ordering now matched the documentation. But a number
      of users came to rely on AADefaultHatName being attempted before
      the URI. For trunk, this issue is less severe because mod_apparmor
      passes a vector of hats to aa_change_hatv(), and thus missing URI
      hats are not logged by the kernel apparmor bits. It still represents
      a behavioral change to users, though.
      
      This patch re-adjusts the ordering so that the URI-based hat is
      attempted after the hat specified by AADefaultHatName is attempted,
      thus maintaining the actual behavior before the bug addressed in
      revno 2335 was fixed.
      
      Patch history:
        v1: initial revision
        v2: no code changes; adjust comments and improve the man page
            documentation
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      37276435
  18. 11 Mar, 2014 1 commit
  19. 14 Feb, 2014 1 commit
    • Seth Arnold's avatar
      Author: Jamie Strandboge <jamie@canonical.com> · 8e5f15c6
      Seth Arnold authored
      Description: update mod_apparmor man page for Apache 2.4 and add new
       apparmor.d/usr.sbin.apache2 profile (based on the prefork profile)
      Acked-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      
      Differs from original 0036-libapache2-mod-apparmor-profile-2.4.patch
      ubuntu patch -- I've deleted the "delete the apache 2.2 profile" part of
      the patch. So apache 2.2's profile is also still supported.
      8e5f15c6
  20. 23 Jan, 2014 11 commits
    • Steve Beattie's avatar
      mod_apparmor: include errno in log messages for failures · 52b34589
      Steve Beattie authored
      This patch includes the errno in the log messages generated by two
      different failed aa_change_hat() calls and the failure to open
      /dev/urandom to get the random token, to further ease failure
      diagnosis.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      52b34589
    • Steve Beattie's avatar
      mod_apparmor: eliminate unnecessary back out aa_change_hat() calls · 016e1f1b
      Steve Beattie authored
      This patch removes unnecessary back out aa_change_hat() calls that occur
      if the prior call to aa_change_hat() call failed. It used to be case
      that an aa_change_hat() call that failed would result in the task being
      placed in a profile with no permissions except the ability to
      aa_change_hat() back out, but this behavior has been removed from
      apparmor for many, many years now.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      016e1f1b
    • Steve Beattie's avatar
      mod_apparmor: add logging for AAHatName/AADefaultHatName policy misconfig · 6fd2f36b
      Steve Beattie authored
      This patch adds code that checks the resulting hat that apache gets
      placed into, and verifies that if the apache configuration specified
      that an AAHatName or AADefaultHatName should have been the resulting
      hat. If it wasn't, emit a warning message to the apache log, as this
      likely indicates a mismatch between the apache configuration and its
      apparmor policy (i.e. why define AAHatName if you aren't going to
      create the corresponding hat in the apparmor policy?)
      
      Note for AADefaultHatName, a message is not logged if a defined
      AAHatName would also apply or if there is a hat defined for the uri,
      as each of those come first in the order of attempted hats.
      
      Also note that the way the hat name is manually calculated will break
      for nested profiles and stacking. It should be fine for all current
      deployments as we don't allow nesting beyond the first subprofile level
      in policy yet. And stacking will likely only be used between namespaces
      where aa_getcon() will not report parent namespace info. However, when
      libapparmor adds functionality to query the hatname, the code that
      computes it here should be replaced by a call to that library function.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      6fd2f36b
    • Steve Beattie's avatar
      mod_apparmor: convert aa_change_hat()s into single aa_change_hatv() · c98f54ec
      Steve Beattie authored
      This patch converts the request entry point from using multiple (if
      necessary) aa_change_hat() calls into a single aa_change_hatv() call,
      simplifying the code a bit, requiring fewer round trips between
      mod_apparmor and the kernel for each request, as well as providing more
      information when the apache profile is in complain mode.
      
      Patch history:
        v1: initial version
        v2: - the server config (scfg) code accidentally re-added the
              directory config (dcfg) hat to the vector of hats, fix that
            - actually add the DEFAULT_URI hat to the vector of hats, instead
      	of only logging that that is happening.
            - pass errno to ap_log_rerror() if aa_change_hatv() call fails.
            - don't call aa_change_hat again if aa_change_hatv() call fails,
      	as this is no longer necessary.
        v3: - Based on feedback from jjohansen, convert exit point
              aa_change_hat() call to aa_change_hatv(), in order to work
              around aa_change_hat() bug addressed in trunk rev 2329,
              which causes the exiting aa_change_hat() call to fail and
              results in the apache process being killed by the kernel.
              When it's no longer likely that mod_apparmor could run into
              a system libapparmor that still contains this bug, this can
              be converted back.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      c98f54ec
    • Steve Beattie's avatar
      mod_apparmor: make the ServerName be the default AADefaultHatName · 8250e061
      Steve Beattie authored
      Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1207424
      
      This patch makes the default value for AADefaultHatName be the
      server/vhost name, which can be specified in apache via the ServerName
      configuration declaration. It can be overridden by setting
      AADefaultHatName directly. Thus, with this patch applied, the order of
      attempted hats will be:
      
        1. try to aa_change_hat(2) into a matching AAHatName hat if it exists
           and applies, otherwise
        2. try to aa_change_hat(2) into the URI itself, otherwise
        3. try to aa_change_hat(2) into the value of ServerName, unless
           AADefaultHatName has been explicitly set for this server/vhost, in
           which case that value will be used, otherwise
        4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists,
           otherwise
        5. fall back to the global Apache policy
      
      This should eliminate the need for most admins to define both
      ServerName and AADefaultHatName, unless there's a specific need for
      the values to deviate.
      
      Man page documentation is updated as well, though probably more
      wordsmithing is needed there for clarity.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      8250e061
    • Steve Beattie's avatar
      mod_apparmor: fix AADefaultHatName storage · 1a008da2
      Steve Beattie authored
      When defining an AADefaultHatName entry, it was being stored in the
      passed mconfig location, which is not the module specific server
      config, but instead the top level (i.e. no path defined) default
      directory/location config. This would be superceded by a more specific
      directory config if it applied to the request. Thus, if an AAHatName was
      defined that applied, but the named hat was not defined in the apparmor
      policy, mod_apparmor would not attempt to fall back to the defined
      AADefaultHatName, but instead jump directly to trying the DEFAULT_URI
      hat.
      
      This patch fixes it by storing the defined AADefaultHatName correctly in
      the module specific storage in the related server data structure. It
      also adds a bit of developer debugging statements.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      
      
      Bug: https://launchpad.net/bugs/1207424
      1a008da2
    • Steve Beattie's avatar
      mod_apparmor: improve initial and exit aa_change_hat call log message · 124f5980
      Steve Beattie authored
      This patch adds the name of the hat to the log message about the
      initial aa_change_hat call, just to be explicit about what's happening
      when debugging and changes the formatting slightly of the exiting
      change_hat log message.
      
      Patch history:
        v1: initial version
        v2: tweak output of exit trace message
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      124f5980
    • Steve Beattie's avatar
      mod_apparmor: convert change_hat to aa_change_hat() · 3d155a30
      Steve Beattie authored
      mod_apparmor never got converted to use the renamed aa_change_hat()
      call (there's a compatibility macro in sys/apparmor.h); this patch does
      that as well as converting the type of the magic_token to long from int.
      
      (This patch is somewhat mooted by a later patch in the series to
      convert to using aa_change_hatv(), but would be a safer candidate
      for e.g. the 2.8 branch.)
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      3d155a30
    • Steve Beattie's avatar
      Subject: mod_apparmor: convert debug_dump_uri to use trace loglevel · eff2a320
      Steve Beattie authored
      This patch converts the debug_dump_uri() function to use the trace
      loglevels and enable it all the time, rather than just when DEBUG is
      defined at compile time.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      eff2a320
    • Steve Beattie's avatar
      mod_apparmor: use trace1 loglevel for developer-oriented debug messages · 087ec5e1
      Steve Beattie authored
      Apache 2.4 added addition logging levels. This patch converts some of
      the log messages that are more intended for mod_apparmor development
      and debugging than for sysadmins configuring mod_apparmor to use trace1
      (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this
      level (or define), we define it back to APLOG_DEBUG.
      
      Patch history:
        v1: initial version
        v2: mark a couple of additional log messages as trace1 level
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      087ec5e1
    • Steve Beattie's avatar
      mod_apparmor: fix logging · 637a6bfe
      Steve Beattie authored
      The apache2 mod_apparmor module was failing to log debugging messages
      when the apache loglevel was set to debug or lower (i.e. traceN). This
      patch fixes it by using ap_log_rerror() (for request specific messages,
      with the request passed for context) and ap_log_error() (more general
      messages outside of a request context).
      
      Also, the APLOG_USE_MODULE macro is called, to mark the log messages as
      belonging to the apparmor module, so that the apache 2.4 feature of
      enabling debug logging for just the apparmor module will work, with an
      apache configuration entry like:
      
        LogLevel apparmor:debug
      
      See
      
        http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html
      
      for specific about the ap_log_*error() and APLOG_USE_MODULE functions
      and macros, and
      
        http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel
      
      for the bits about module specific logging.
      
      Patch history:
        v1: initial version
        v2: - revert to using ap_log_error with (the 2.4 specific)
              ap_server_conf outside of a request specific context, as the
              pool specific ap_log_perror messages weren't being reported.
            - add compatibility workaround for apache 2.2
        v3: keep commented out merge function's log call consistent with the
            others
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      637a6bfe
  21. 09 Jan, 2014 2 commits
  22. 19 Sep, 2013 1 commit
  23. 27 May, 2011 1 commit
  24. 18 Mar, 2011 1 commit
  25. 08 Feb, 2011 2 commits