lp://staging/apparmor

Created by Steve Beattie and last modified
Get this branch:
bzr branch lp://staging/apparmor

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
AppArmor Developers
Project:
AppArmor
Status:
Development

Import details

Import Status: Suspended

This branch is an import of the HEAD branch of the Git repository at https://gitlab.com/apparmor/apparmor.git.

Last successful import was .

Import started on juju-1e3bde-prod-lp-code-import-14 and finished taking 5 seconds — see the log
Import started on alnitak and finished taking 15 seconds — see the log
Import started on izar and finished taking 25 seconds — see the log
Import started on alnitak and finished taking 15 seconds — see the log

Recent revisions

4068. By Christian Boltz <email address hidden>

Merge branch 'cboltz-complex-profile-name' into 'master'

Add some tests for complex profile names

See merge request apparmor/apparmor!360

Acked-by: Eric Chiang <email address hidden>

4067. By John Johansen <email address hidden>

Merge branch 'identd' into 'master'

identd: Add network netlink dgram

identd requires access to network netlink dgram.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/353
Signed-off-by: John Johansen <email address hidden>

4066. By John Johansen <email address hidden>

Adjust tests to match base abstraction update.

Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Acked-by: Christian Boltz <email address hidden>
Signed-off-by: John Johansen <email address hidden>

4065. By John Johansen <email address hidden>

Merge branch 'base-abstraction-allow-all-libraries' into 'master'

base abstraction: allow mr on *.so* in common library paths.

For example, VirtualBox guests have /usr/lib/VBoxOGL.so.

Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:

  ImportError: libGL.so.1: failed to map segment from shared object

… and the system logs have:

  apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.

So let's not assume all libraries have a name that starts with "lib".

Bug-Tails: https://redmine.tails.boum.org/code/issues/16414

Candidate for master and 2.13.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
Signed-off-by: John Johansen <email address hidden>

4064. By John Johansen <email address hidden>

dovecot: master SIGTERM child that are slow to die

When doing a service reload, I noticed the following:

```Mar 22 15:52:27 smtp dovecot: master: Warning: SIGHUP received - reloading configuration
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=35309 out=232805
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=24600 out=1688166
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=14026 out=95516
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=13776 out=141513
Mar 22 15:52:33 smtp dovecot: master: Warning: Processes aren't dying after reload, sending SIGTERM.
Mar 22 15:52:33 smtp dovecot: master: Error: service(imap): kill(5806, 15) failed: Permission denied
Mar 22 15:52:33 smtp dovecot: master: Error: service(imap-login): kill(5804, 15) failed: Permission denied
Mar 22 15:52:33 smtp dovecot: master: Error: service(config): kill(506, 15) failed: Permission denied
Mar 22 15:52:33 smtp kernel: [65542.184326] audit: type=1400 audit(1553284353.609:82): apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_mask="send" denied_mask="send" signal=term peer="/usr/lib/dovecot/imap"
Mar 22 15:52:33 smtp kernel: [65542.197596] audit: type=1400 audit(1553284353.625:83): apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_mask="send" denied_mask="send" signal=term peer="/usr/lib/dovecot/imap-login"
Mar 22 15:52:33 smtp kernel: [65542.197635] audit: type=1400 audit(1553284353.625:84): apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_mask="send" denied_mask="send" signal=term peer="/usr/lib/dovecot/config"
Mar 22 15:52:36 smtp dovecot: imap(simon): Server shutting down. in=17882 out=104004
```

The server was heavily loaded which is probably why it ended up trying to SIGTERM those.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/357
Signed-off-by: John Johansen <email address hidden>

4063. By John Johansen <email address hidden>

Add support for profiles with xattrs matching

Add userland support for matching based on extended file attributes. This
leverages DFA based matching already in the kernel:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd

Matching is exposed via flags on the profile:

    /usr/bin/* xattrs=(user.foo=bar user.bar=foo) {
        # ...
    }

xattr values are appended to the existing xmatch via a null transition.

    $ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \
        ./parser/apparmor_parser -QT -D expr-tree
    DFA: Expression Tree
    /usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1>
    DFA: Expression Tree
    (\a|(\n|(\0002|\t)))< 0x4>

Tested manually on a 4.19 kernel via QEMU+KVM.

TODO:

  * ~~Add regression tests~~ (EDIT: done)
  * ~~EDIT: add support in the tools~~ (EDIT: done)

Questions for reviewers:

  * ~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done)
  * ~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done)

/cc @mjg59

PR: https://gitlab.com/apparmor/apparmor/merge_requests/270
Signed-off-by: John Johansen <email address hidden>

4062. By John Johansen <email address hidden>

Get rid of $MODULE, replace usage with hardcoded "apparmor"

I slightly ;-) doubt we'll change the module name.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/354
Signed-off-by: Christian Boltz <email address hidden>
Signed-off-by: John Johansen <email address hidden>

4061. By John Johansen <email address hidden>

parser/libapparmor_re: remove unnecessary throw(int)

Compiling the parser currently prints a deprecation warning. Remove
throw(int) annotations from function signatures. These aren't required
to catch exceptions. This gets us closer to possibly enabling '-Werror'
in the future.

For example, the following program catches the exception without a
throw(int) annotation:

 #include <iostream>
 void throw_an_error()
 {
         throw 3;
         return;
 }
 int main ()
 {
         try
         {
                 throw_an_error();
         }
         catch (int e)
         {
                 std::cout << "caught exception " << e << '\n';
         }
         return 0;
 }

This program prints:

 $ g++ -o error error.cc
 $ ./error
 caught exception 3

PR: https://gitlab.com/apparmor/apparmor/merge_requests/356
Signed-off-by: Eric Chiang <email address hidden>
Signed-off-by: John Johansen <email address hidden>

4060. By Christian Boltz <email address hidden>

Merge branch 'cboltz-shellcheck' into 'master'

Make shellcheck happier

See merge request apparmor/apparmor!355

Acked-by: Eric Chiang <email address hidden>

4059. By Christian Boltz <email address hidden>

Merge branch 'cboltz-deprecate-kill' into 'master'

drop most of apparmor_kill()

See merge request apparmor/apparmor!351

Acked-by: Eric Chiang <email address hidden>

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.