Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.

Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.


PR: apparmor/apparmor!409


Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a10fa57f)
Signed-off-by: John Johansen <john.johansen@canonical.com>

In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.

It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow

Therefore I'm asking to add
   /etc/mdns.allow r,
to the file
   /etc/apparmor.d/abstractions/mdns"
by default.

--- original bug ---

Many repetitions of

audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains

hosts: files mdns [NOTFOUND=return] myhostname dns

and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629


Signed-off-by: John Johansen <john.johansen@canonical.com>

(cherry picked from commit eeac8c11)

his MR backports the patches for make 4.3 compability to the 2.13 branch.

Fixes: apparmor/apparmor#74
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1167953


Acked-by: John Johansen <john.johansen@canonical.com>

Define the "run" variable in 2.12 and 2.13 to make backporting profile updates easier.

Fixes: apparmor/apparmor#88
PR: apparmor/apparmor!466



Acked-by: John Johansen <john.johansen@canonical.com>

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .

(cherry picked from commit 16f9f688)
Fixes: apparmor/apparmor#82


Signed-off-by: nl6720 <nl6720@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

abstractions/mesa: allow checking if the kernel supports the i915 perf interface

See merge request apparmor/apparmor!464

Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13

(cherry picked from commit f56bab3f)

61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface

nl6720 authored 5 years ago and Christian Boltz committed 4 years ago

Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 452b5b87)

apparmor/apparmor!461 /
e92da079 changed creating the
capabilities to use a script.

A side effect is that the list is now separated by \n instead of
spaces. Adjust create-apparmor.vim.py to the new output.

(cherry picked from commit 60b00578)

allgdante authored 4 years ago and Christian Boltz committed 4 years ago

This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.

(cherry picked from commit e92da079)

John Johansen authored 5 years ago and Christian Boltz committed 4 years ago

This reverts commit 378519d2.
this commit was meant for the 2.13 branch not master

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9144e39d)

Eric Chiang authored 6 years ago and Christian Boltz committed 4 years ago

This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.

Two changes were made:

* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a

Changes to list_af_names are intended to exactly replicate the old
behavior.

Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377)

Update usr.sbin.winbindd profile to allow krb5 rcache files locking

See merge request apparmor/apparmor!460

Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master

(cherry picked from commit 5c1932d0)

2c3001c7 Update usr.sbin.winbindd profile to allow krb5 rcache files locking

assertEquals is deprecated since Python 2.7 and 3.2.

(cherry picked from commit 62abfe38)
Signed-off-by: John Johansen <john.johansen@canonical.com>

Signed-off-by: John Johansen <john.johansen@canonical.com>

abstractions/base: allow read access to /run/uuidd/request

See merge request apparmor/apparmor!445

Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master


(cherry picked from commit 80bf9209)

45fffc12 abstractions/base: allow read access to /run/uuidd/request

abstractions/gnome: also allow /etc/xdg/mimeapps.list

See merge request apparmor/apparmor!444

Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master


(cherry picked from commit 3becbbab)

67cf4fa3 abstractions/gnome: also allow /etc/xdg/mimeapps.list

abstractions/base: allow read access to top-level ecryptfs directories

See merge request apparmor/apparmor!443

Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master


(cherry picked from commit 24895ea3)

fbd8981e abstractions/base: allow read access to top-level ecryptfs directories

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit f4220a19)

John Johansen authored 5 years ago and Christian Boltz committed 5 years ago

Bug-Debian: https://bugs.debian.org/930031

As per https://developer.gnome.org/gtk3/stable/ch32s03.html, since GTK+ 3.6, $XDG_DATA_HOME/themes is preferred over $HOME/.themes. We already support the latter, let's also support the former.

PR: apparmor/apparmor!442


Acked-by: John Johansen <john.johansen@canonical.com>


(cherry picked from commit 098f0a7b)

852c1e76 gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME

This adds a copy of the current .gitlab-ci.yml from master to the 2.13 branch to enable CI checks.

PR: apparmor/apparmor!436


Acked-by: John Johansen <john.johansen@canonical.com>

This adds a copy of the current .gitlab-ci.yml from master to the 2.13
branch to enable CI checks.

Allow /usr/etc/ in abstractions/authentication

openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.

See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.

Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162

See merge request apparmor/apparmor!426

Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master

(cherry picked from commit 1cfd4d4b)

ee7194a7 Allow /usr/etc/ in abstractions/authentication

abstractions/kerberosclient: allow reading /etc/krb5.conf.d/

See merge request apparmor/apparmor!425

Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master


(cherry picked from commit 663546c2)

dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/

Drop 'localinclude' in parse_profile_data() and ProfileStorage

See merge request apparmor/apparmor!427

Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master

(cherry picked from commit b017f8f8)

001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage

Fix a Python 3.8 autoconf check

See merge request apparmor/apparmor!430

Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
Acked-by: Steve Beattie <steve@nxnw.org> for master and 2.13

(cherry picked from commit 3db14e8e)

ccbf1e0b Fix a Python 3.8 autoconf check

README: add PYFLAKES=/usr/bin/pyflakes3 env variable

See merge request apparmor/apparmor!429

Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master

(cherry picked from commit 1567ea6f)

556bb94a README: add PYFLAKES=/usr/bin/pyflakes3 env variable

aa-status: handle profile names containing '('

Closes #51

See merge request apparmor/apparmor!415

Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master

(cherry picked from commit b76567ce)

41d26b01 aa-status: handle profile names containing '('

879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.

(cherry picked from commit c5968c70)
PR: apparmor/apparmor!420


Signed-off-by: John Johansen <john.johansen@canonical.com>

PR: apparmor/apparmor!421


(cherry picked from commit 2d19d4d1)
Signed-off-by: John Johansen <john.johansen@canonical.com>

Bug-Debian: https://bugs.debian.org/935058

Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:

  https://gitlab.gnome.org/jwrdegoede/mutter/commit/a8984a81c2e887623d69ec9989ae8a5025f7bd47

… that was first included in mutter 3.33.3.

This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.

(cherry picked from commit c006f791)
MR: apparmor/apparmor!419
Bug-Debian: https://bugs.debian.org/935058


Signed-off-by: John Johansen <john.johansen@canonical.com>

Remove extra closing parenthesis.

Bug: https://launchpad.net/bugs/1838991


Fixes: 46586a63 ("parser: Add example dbus rule for unconfined peers")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

(cherry picked from commit 7df48ada)
Ref: apparmor/apparmor!410


Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

Correct the long option used to print the cache directory.

Fixes: e9d9395f ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

(cherry picked from commit 50e34b45)
Ref: apparmor/apparmor!406


Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

Fix crash on unbalanced parenthesis in filename

See merge request apparmor/apparmor!402

Seth Arnold <seth.arnold@canonical.com> for 2.10..master

(cherry picked from commit db1f3918)

8f74ac02 Fix crash on unbalanced parenthesis in filename

Xiang Fei Ding authored 5 years ago and Steve Beattie committed 5 years ago

When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.

Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: apparmor/apparmor#41


(cherry picked from commit 654d96a3)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from  testcasw_dbus_09.profile

The following log format has been seen in the wild, and currently results
in a RECORD_INVALID

    [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'

Test parsing the above message with and without the \n embedded between
peer_label= and exec=

PR: apparmor/apparmor!395


Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0349cf2d)

[2.10..2.13] Add for Certbot on openSUSE Leap

See merge request apparmor/apparmor!398

Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13

Richard Chen authored 5 years ago and Christian Boltz committed 5 years ago

The default path is /etc/certbot/archive/{some domain}/{file name}.pem

See merge request apparmor/apparmor!397

This is a manual cherry-pick of 4d275bab
and 3016ffb3

[2.13] parser: allow using a custom sbin & usr/sbin dir

This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)

[Per feedback, added USR_SBINDIR as a toggle for the install location
 of aa-teardown -- @smb]

Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: apparmor/apparmor!111
(cherry picked from commit 7c86a2ac)



Cherry-pick requested in apparmor/apparmor#38



See merge request apparmor/apparmor!393

Acked-by: Seth Arnold <seth.arnold@canonical.com>

The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.

We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: apparmor/apparmor!396


(cherry picked from commit 7c7a4bc5)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

Rasmus Thomsen authored 6 years ago and Christian Boltz committed 5 years ago

This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)

[Per feedback, added USR_SBINDIR as a toggle for the install location
 of aa-teardown -- @smb]

Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: apparmor/apparmor!111
(cherry picked from commit 7c86a2ac)