1. 06 Dec, 2018 2 commits
  2. 30 Nov, 2018 12 commits
  3. 29 Nov, 2018 7 commits
  4. 21 Nov, 2018 1 commit
  5. 18 Nov, 2018 1 commit
    • Christian Boltz's avatar
      Fix viewing a local inactive profile in aa-genprof · 8b4e76a7
      Christian Boltz authored
      aa-genprof checks if one of the profiles in the extra profile dir
      matches the binary, and proposes to use that profile as a starting
      point.
      
      Since 4d722f18 the "(V)iew profile"
      option to display the proposed profile was broken.
      
      The easiest fix is to remember the filename in the extras directory, and
      display the file from there.
      
      Sidenote: when choosing to use the extra profile, it gets written to
      disk without any problems, so this bug really only affected "(V)iew
      profile" to preview the proposed extra profile.
      8b4e76a7
  6. 17 Nov, 2018 1 commit
  7. 16 Nov, 2018 2 commits
  8. 13 Nov, 2018 2 commits
    • John Johansen's avatar
      Merge branch 'cboltz-parse-remainder' into 'master' · 9db669a0
      John Johansen authored
      parse_profile_data(): Ensure last line in a profile is valid
      
      'lastline' gets merged into 'line' (and reset to None) when reading the
      next line. If 'lastline' isn't empty after reading the whole profile,
      this means there's something unparseable at the end of the profile,
      therefore parse_profile_data() should error out.
      
      Also remove some simple_tests testcases from the 'exception_not_raised'
      list - they only didn't raise the exception because the invalid rule was
      the last line in the affected profile.
      
      Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
      discovering this bug while adding some xattr testcases that surprisingly
      didn't fail in the tools.
      
      PR: !271Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      9db669a0
    • Christian Boltz's avatar
      parse_profile_data(): Ensure last line in a profile is valid · 4efff35b
      Christian Boltz authored
      'lastline' gets merged into 'line' (and reset to None) when reading the
      next line. If 'lastline' isn't empty after reading the whole profile,
      this means there's something unparseable at the end of the profile,
      therefore parse_profile_data() should error out.
      
      Also remove some simple_tests testcases from the 'exception_not_raised'
      list - they only didn't raise the exception because the invalid rule was
      the last line in the affected profile.
      
      Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
      discovering this bug while adding some xattr testcases that surprisingly
      didn't fail in the tools.
      4efff35b
  9. 12 Nov, 2018 1 commit
  10. 11 Nov, 2018 1 commit
  11. 09 Nov, 2018 6 commits
    • John Johansen's avatar
      parser: limit the number of passes expr tree simplification does · 2809060b
      John Johansen authored
      Expr tree simplification makes multiple passes at simplifying the
      expression tree trying to use fatoring rules and heuristics to achieve
      the minimum tree, so that dfa construction has fewer nodes to deal
      with.
      
      Unfortunately expr tree simplification can slow some policy compiles,
      dependent on the type of expressions generated, down, and even worse
      is currently subject to never terminating on some expressions as the
      left and right passes keep undoing each others work.
      
      Limiting the number of passes that expr tree simplification does can
      provide most of its benefits (later passes generally have diminishing
      returns), reduces the overhead it has on simple policy where it is of
      little benefit, and insures that simplifications can not get stuck in
      an infinite loop due to the left and right passes ping-ponging on each
      others factoring.
      
      Note: This also results in a performance improvement in evince
      compiles, and general policy compiles because it achieves a better
      balance between time spent on simplifying the tree to remove nodes and
      time the dfa build requires to build with extra nodes and then
      eliminate with minimization.
      
      $ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
      real	0m2.744s
      user	0m2.714s
      sys	0m0.028s
      
      vs.
      
      $ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
      real	0m2.992s
      user	0m2.979s
      sys	0m0.012s
      
      and
      
      $ time apparmor_parser -QT /etc/apparmor.d/
      real	0m3.568s
      user	0m14.529s
      sys	0m0.152s
      
      vs.
      
      $ time apparmor_parser -QT /etc/apparmor.d/
      real	0m3.741s
      user	0m15.400s
      sys	0m0.179s
      
      PR: !246Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: 's avatarSeth Arnold <seth.arnold@canonical.com>
      2809060b
    • John Johansen's avatar
      Merge branch 'cboltz-eventd' into 'master' · 3318f660
      John Johansen authored
      Remove traces of aa-eventd
      
      aa-eventd and its initscripts have been moved to deprecated/ in 2014 and didn't get any serious updates for several more years, so it's most probably useless and/or broken nowadays.
      
      This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE variables in rc.apparmor.functions anymore.
      
      (In theory I could move these variables to deprecated/rc.aaeventd.* - but in practise that sounds more than superfluous ;-)
      
      PR: !263Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      3318f660
    • Christian Boltz's avatar
      Remove traces of aa-eventd · 3a89e981
      Christian Boltz authored
      aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
      didn't get any serious updates for several more years, so it's most
      probably useless and/or broken nowadays.
      
      This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
      variables in rc.apparmor.functions anymore.
      3a89e981
    • John Johansen's avatar
      remove subdomainfs support · 94ff870f
      John Johansen authored
      It has been over 10 years since transition from subdomainfs to
      using securityfs. Lets drop this deprecated code.
      
      PR: !258Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: seth.arnold@canonical.com
      94ff870f
    • John Johansen's avatar
      rc.apparmor.functions: drop module loading support · 0d5ab43d
      John Johansen authored
      The apparmor kernel "module" has not been a loadable module for more
      than a decade, it must be built into the kernel and due configuration
      requirements it will never go back to being a loadable module.
      
      Remove the long unfunctioning load_module support from the init script.
      
      PR: !257Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: seth.arnold@canonical.com
      0d5ab43d
    • John Johansen's avatar
      Merge branch 'use-sys' into 'master' · e657ca67
      John Johansen authored
      Use @{sys} tunable in profiles and abstractions
      
      Commit aa065287 made @{sys} tunable available by default.
      
      Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var).
      
      Closes LP#1728551
      
      PR: !262Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      e657ca67
  12. 08 Nov, 2018 1 commit
  13. 07 Nov, 2018 2 commits
  14. 06 Nov, 2018 1 commit