Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.2:Ports
apparmor
changes-since-2.10.1--r3326..3346.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File changes-since-2.10.1--r3326..3346.diff of Package apparmor
------------------------------------------------------------ revno: 3346 behebt den Fehler: https://launchpad.net/bugs/1538306 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Mon 2016-08-15 22:06:47 +0200 message: Fix aa-logprof "add hat" endless loop This turned out to be a simple case of misinterpreting the promptUser() result - it returns the answer and the selected option, and "surprisingly" something like ('CMD_ADDHAT', 0) never matched 'CMD_ADDHAT' ;-) I also noticed that the new hat doesn't get initialized as profile_storage(), and that the changed profile doesn't get marked as changed. This is also fixed by this patch. References: https://bugs.launchpad.net/apparmor/+bug/1538306 Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3345 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Fri 2016-08-12 12:02:43 +0200 message: type_is_str(): make pyflakes3 happy pyflakes3 doesn't check sys.version and therefore complains about 'unicode' being undefined. This patch defines unicode as alias of str to make pyflakes3 happy, and as a side effect, simplifies type_is_str(). Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10. ------------------------------------------------------------ revno: 3344 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Mon 2016-08-08 23:16:12 +0200 message: delete_duplicates(): don't modify self.rules while looping over it By calling self.delete() inside the delete_duplicates() loop, the self.rules list was modified. This resulted in some rules not being checked and therefore (some, not all) superfluous rules not being removed. This patch switches to a temporary variable to loop over, and rebuilds self.rules with the rules that are not superfluous. This also fixes some strange issues already marked with a "Huh?" comment in the tests. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10. Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule, therefore the cleanprof_test.out change doesn't make sense for 2.10. ------------------------------------------------------------ revno: 3343 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Wed 2016-08-03 21:53:06 +0200 message: winbindd profile: allow dac_override This is needed to delete kerberos ccache files, for details see https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9. Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3342 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Sun 2016-07-31 17:15:42 +0200 message: logparser: store network-related params if an event looks like network Network events can come with an operation= that looks like a file event. Nevertheless, if the event has a typical network parameter (like net_protocol) set, make sure to store the network-related flags in ev. This fixes the test failure introduced in my last commit. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3341 behebt den Fehler: https://launchpad.net/bugs/1577051 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Sat 2016-07-30 00:44:18 +0200 message: logparser.py: ignore network events with 'send receive' We already ignore network events that look like file events (based on the operation keyword) if they have a request_mask of 'send' or 'receive' to avoid aa-logprof crashes because of "unknown" permissions. It turned out that both can happen at once, so we should also ignore this case. Also add the now-ignored log event as test_multi testcase. References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13 Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3340 committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Fri 2016-07-29 11:46:16 -0700 message: add ld.so.preload to <abstractions/base>, thanks to Uzair Shamim ------------------------------------------------------------ revno: 3339 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Tue 2016-07-26 21:13:49 +0200 message: Allow mr for /usr/lib*/ldb/*.so in samba abstractions This is needed for winbindd (since samba 4.4.x), but smbd could also need it. References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3338 committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Fri 2016-06-24 10:36:42 -0700 message: intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo. ------------------------------------------------------------ revno: 3337 committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Wed 2016-06-22 15:15:42 -0700 message: From: Simon McVittie <simon.mcvittie@collabora.co.uk> Date: Tue, 21 Jun 2016 18:18:45 +0100 Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf Follow the same logic we already did for NetworkManager, resolvconf and systemd-resolved. The wonderful thing about standards is that there are so many to choose from. Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> [modified by sarnold to fit the surroundings] ------------------------------------------------------------ revno: 3336 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Sun 2016-06-05 23:43:55 +0200 message: Add a note about still enforcing deny rules to aa-complain manpage This behaviour makes sense (for example to force the confined program to use a fallback path), but is probably surprising for users, so we should document it. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37 Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3335 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Sun 2016-06-05 20:07:33 +0200 message: honor 'chown' file events in logparser.py Also add a testcase to libapparmor's log collection Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3334 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Wed 2016-06-01 21:06:25 +0200 message: aa-genprof: ask about profiles in extra dir (again) Thanks to reading the wrong directory in read_inactive_profiles() (profile_dir instead of extra_profile_dir), aa-genprof never asked about using a profile from the extra_profile_dir. Sounds like an easy fix, right? ;-) After fixing this (last chunk), several other errors popped up, one after the other: - get_profile() missed a required parameter in a serialize_profile() call - when saving the profile, it was written to extra_profile_dir, not to profile_dir where it (as a now-active profile) should be. This is fixed by removing the filename from existing_profiles{} so that it can pick up the default name. - CMD_FINISHED (when asking if the extra profile should be used or a new one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising for the user. Remove it to avoid confusion. - displaying the extra profile was only implemented in YaST mode - get_pager() returned None, not an actual pager. Since we have 'less' hardcoded at several places, also return it in get_pager() Finally, also remove CMD_FINISHED from the get_profile() test in test-translations.py. (test-translations.py is only in trunk, therefore this part of the patch is obviously trunk-only.) Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk Acked-by: John Johansen <john.johansen@canonical.com> for trunk + a 50% ACK for 2.10 and 2.9 Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3333 behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Mon 2016-05-23 23:32:23 +0200 message: Ignore file events with a request mask of 'send' or 'receive' Those events are actually network events, so ideally we should map them as such. Unfortunately this requires bigger changes, so here is a hotfix that ignores those events and thus avoids crashing aa-logprof. References: https://bugs.launchpad.net/apparmor/+bug/1577051 https://bugs.launchpad.net/apparmor/+bug/1582374 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3332 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Sun 2016-05-22 14:51:55 +0200 message: Document empty quotes ("") as empty value of a variable Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches where this makes sense :) ------------------------------------------------------------ revno: 3331 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Wed 2016-05-18 21:18:34 +0200 message: allow inet6 in ping profile The latest iputils merged ping and ping6 into a single binary that does both IPv4 and IPv6 pings (by default, it really does both). This means we need to allow network inet6 raw in the ping profile. References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596 (contains more details and example output) Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3330 committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Wed 2016-05-11 17:23:22 -0700 message: dbus-session-strict: allow access to the user bus socket From: Simon McVittie <simon.mcvittie@collabora.co.uk> Date: Wed, 4 May 2016 13:48:36 +0100 Subject: dbus-session-strict: allow access to the user bus socket If dbus is configured with --enable-user-bus (for example in the dbus-user-session package in Debian and its derivatives), and the user session is started with systemd, then the "dbus-daemon --session" will be started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly, on systems where dbus-daemon has been replaced with kdbus, the bridge/proxy used to provide compatibility with the traditional D-Bus protocol listens on that same socket. In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems, where $uid represents the numeric uid. I have not used /{var/,}run here, because systemd does not support configurations where /var/run and /run are distinct; in practice, /var/run is a symbolic link. Based on a patch by Sjoerd Simons, which originally used the historical path /run/user/*/dbus/user_bus_socket. That path was popularized by the user-session-units git repository, but has never been used in a released version of dbus and should be considered unsupported. Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> ------------------------------------------------------------ revno: 3329 committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Wed 2016-05-11 16:30:29 -0700 message: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n From: Simon McVittie <simon.mcvittie@collabora.co.uk> Date: Wed, 11 May 2016 13:52:56 +0100 Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n This test attempts to auto-skip the sysctl() part if that syscall was not compiled into the current kernel, via CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work, for two reasons: * Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if", and it had nonzero exit status, the trap on ERR was triggered, causing execution of the error_handler() shell function, which aborts the test with a failed status. The rules for ERR are the same as for "set -e", so we can circumvent it in the same ways. * Because sysctl_syscall.c prints its diagnostic message to stderr, but the $() operator only captures stdout, it never matched in the string comparison. This is easily solved by redirecting its stderr to stdout. Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> ------------------------------------------------------------ revno: 3328 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Tue 2016-05-10 14:34:40 +0200 message: load variables in ask_the_questions() Variables can be used in several rule types (from the existing *Rule classes: change_profile, dbus, ptrace, signal). It seems nobody uses variables with those rules, otherwise we'd have received a bugreport ;-) I noticed this while working on FileRule, where usage of variables is more common. The file code in bzr (not using a *Rule class) already loads the variables, so old versions don't need changes for file rule handling. However, 2.10 already has ChangeProfileRule and therefore also needs this fix. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10. ------------------------------------------------------------ revno: 3327 behebt den Fehler: https://launchpad.net/bugs/1453300 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Thu 2016-05-05 12:02:11 +0200 message: accept hostname with dots Some people have the full hostname in their syslog messages, so libapparmor needs to accept hostnames that contain dots. References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments #1 and #2 (the log samples reported by scrx in #apparmor) Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3326 tags: apparmor_2.10.1 committer: John Johansen <john.johansen@canonical.com> branch nick: 2.10 timestamp: Wed 2016-04-20 02:07:34 -0700 message: common/Version: prepare for 2.10.1 release === modified file 'changehat/mod_apparmor/mod_apparmor.pod' --- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000 +++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000 @@ -65,7 +65,7 @@ AAHatName allows you to specify a hat to be used for a given Apache E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or -E<lt>LocationMatchE<gt> directive (see the Apache documenation for more +E<lt>LocationMatchE<gt> directive (see the Apache documentation for more details). Note that mod_apparmor behavior can become confused if E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled and it is recommended to use one type of directive. If the hat specified by === modified file 'libraries/libapparmor/src/scanner.l' --- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000 +++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000 @@ -178,7 +178,7 @@ hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2} timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2} syslog_time {hhmmss}({period}{digits})?{timezone}? -syslog_hostname [[:alnum:]_-]+ +syslog_hostname [[:alnum:]._-]+ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\] %x single_quoted_string === added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err' === added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in' --- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000 @@ -0,0 +1,1 @@ +type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4 === added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out' --- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000 @@ -0,0 +1,15 @@ +START +File: file_chown.in +Event type: AA_RECORD_DENIED +Audit ID: 1465133533.431:728 +Operation: chown +Mask: w +Denied Mask: w +fsuid: 0 +ouid: 4 +Profile: /usr/sbin/cupsd +Name: /run/cups/certs/ +Command: cupsd +PID: 8515 +Epoch: 1465133533 +Audit subid: 728 === added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err' === added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in' --- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000 @@ -0,0 +1,1 @@ +Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110 === added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out' --- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000 @@ -0,0 +1,15 @@ +START +File: syslog_hostname_with_dot.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1442256553.643:40143 +Operation: open +Mask: r +Denied Mask: r +fsuid: 1000 +ouid: 110 +Profile: /opt/evoke/venv/bin/gunicorn +Name: /opt/evoke/venv/lib/python2.7/warnings.pyc +Command: gunicorn +PID: 28943 +Epoch: 1442256553 +Audit subid: 40143 === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err' === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in' --- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000 @@ -0,0 +1,1 @@ +Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive" === added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out' --- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000 @@ -0,0 +1,19 @@ +START +File: testcase_network_send_receive.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1469785325.122:21021 +Operation: file_inherit +Mask: send receive +Denied Mask: send receive +Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash +Command: sh +PID: 18239 +Network family: inet +Socket type: stream +Protocol: tcp +Local addr: 192.168.10.3 +Foreign addr: 54.153.70.241 +Local port: 50758 +Foreign port: 443 +Epoch: 1469785325 +Audit subid: 21021 === modified file 'parser/apparmor.d.pod' --- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000 +++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000 @@ -1234,7 +1234,8 @@ The parser will automatically expand variables to include all values that they have been assigned; it is an error to reference a variable -without setting at least one value. +without setting at least one value. You can use empty quotes ("") to +explicitly add an empty value. At the time of this writing, the following variables are defined in the provided AppArmor policy: === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000 +++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000 @@ -47,6 +47,7 @@ # ld.so.cache and ld are used to load shared libraries; they are best # available everywhere /etc/ld.so.cache mr, + /etc/ld.so.preload r, /lib{,32,64}/ld{,32,64}-*.so mrix, /lib{,32,64}/**/ld{,32,64}-*.so mrix, /lib/@{multiarch}/ld{,32,64}-*.so mrix, === modified file 'profiles/apparmor.d/abstractions/dbus-session-strict' --- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000 +++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000 @@ -17,6 +17,9 @@ type=stream peer=(addr="@/tmp/dbus-*"), + # dbus with systemd and --enable-user-session + owner /run/user/[0-9]*/bus rw, + dbus send bus=session path=/org/freedesktop/DBus === modified file 'profiles/apparmor.d/abstractions/nameservice' --- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000 +++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000 @@ -33,14 +33,10 @@ /var/lib/sss/pipes/nss rw, /etc/resolv.conf r, - # on systems using resolvconf, /etc/resolv.conf is a symlink to - # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in - # /etc/resolvconf/run/resolv.conf - /{,var/}run/resolvconf/resolv.conf r, + # On systems where /etc/resolv.conf is managed programmatically, it is + # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. + /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r, /etc/resolvconf/run/resolv.conf r, - # on systems using systemd's networkd, /etc/resolv.conf is a symlink to - # /run/systemd/resolve/resolv.conf - /{,var/}run/systemd/resolve/resolv.conf r, /etc/samba/lmhosts r, /etc/services r, === modified file 'profiles/apparmor.d/abstractions/samba' --- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000 +++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000 @@ -10,6 +10,7 @@ # ------------------------------------------------------------------ /etc/samba/* r, + /usr/lib*/ldb/*.so mr, /usr/share/samba/*.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, /var/cache/samba/ w, === modified file 'profiles/apparmor.d/bin.ping' --- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000 +++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000 @@ -18,6 +18,7 @@ capability net_raw, capability setuid, network inet raw, + network inet6 raw, /{,usr/}bin/ping mixr, /etc/modules.conf r, === modified file 'profiles/apparmor.d/usr.sbin.winbindd' --- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 +++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000 @@ -7,6 +7,7 @@ deny capability block_suspend, + capability dac_override, capability ipc_lock, capability setuid, === modified file 'tests/regression/apparmor/syscall_sysctl.sh' --- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000 +++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000 @@ -149,8 +149,7 @@ # generally we want to encourage kernels to disable it, but if it's # enabled we want to test against it settest syscall_sysctl -res=$(${test} ro) -if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then +if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then echo " WARNING: syscall sysctl not implemented, skipping tests ..." else test_syscall_sysctl === modified file 'utils/aa-complain.pod' --- utils/aa-complain.pod 2014-09-15 18:30:47 +0000 +++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000 @@ -41,6 +41,8 @@ In this mode security policy is not enforced but rather access violations are logged to the system log. +Note that 'deny' rules will be enforced even in complain mode. + =head1 BUGS If you find any bugs, please report them at === modified file 'utils/aa-mergeprof' --- utils/aa-mergeprof 2015-07-06 20:02:34 +0000 +++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000 @@ -1,6 +1,7 @@ #! /usr/bin/env python # ---------------------------------------------------------------------- # Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com> +# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de> # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -17,7 +18,7 @@ import os import apparmor.aa -from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes +from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes import apparmor.aamode from apparmor.common import AppArmorException from apparmor.regex import re_match_include @@ -283,6 +284,9 @@ if not sev_db: sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown')) + sev_db.unload_variables() + sev_db.load_variables(get_profile_filename(profile)) + for hat in sorted(other.aa[profile].keys()): #Add the includes from the other profile to the user profile done = False === modified file 'utils/apparmor/aa.py' --- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000 +++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000 @@ -1,6 +1,6 @@ # ---------------------------------------------------------------------- # Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com> -# Copyright (C) 2014-2015 Christian Boltz <apparmor@cboltz.de> +# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de> # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -557,8 +557,11 @@ inactive_profile[prof_name][prof_name].pop('filename') profile_hash[uname]['username'] = uname profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL' - profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name) + profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None) profile_hash[uname]['profile_data'] = inactive_profile + + existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir + # If no profiles in repo and no inactive profiles if not profile_hash.keys(): return None @@ -579,18 +582,13 @@ q = aaui.PromptQuestion() q.headers = ['Profile', prof_name] - q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', - 'CMD_ABORT', 'CMD_FINISHED'] + q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'] q.default = "CMD_VIEW_PROFILE" q.options = options q.selected = 0 ans = '' while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans: - if ans == 'CMD_FINISHED': - save_profiles() - return - ans, arg = q.promptUser() p = profile_hash[options[arg]] q.selected = options.index(options[arg]) @@ -602,12 +600,13 @@ 'profile_type': p['profile_type'] }) ypath, yarg = GetDataFromYast() - #else: - # pager = get_pager() - # proc = subprocess.Popen(pager, stdin=subprocess.PIPE) + else: + pager = get_pager() + proc = subprocess.Popen(pager, stdin=subprocess.PIPE) # proc.communicate('Profile submitted by %s:\n\n%s\n\n' % # (options[arg], p['profile'])) - # proc.kill() + proc.communicate(p['profile'].encode()) + proc.kill() elif ans == 'CMD_USE_PROFILE': if p['profile_type'] == 'INACTIVE_LOCAL': profile_data = p['profile_data'] @@ -658,6 +657,7 @@ if not profile_data: profile_data = create_new_profile(pname) file = get_profile_filename(pname) + profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename attach_profile_data(aa, profile_data) attach_profile_data(original_aa, profile_data) if os.path.isfile(profile_dir + '/tunables/global'): @@ -1095,7 +1095,7 @@ seen_events += 1 - ans = q.promptUser() + ans = q.promptUser()[0] if ans == 'CMD_FINISHED': save_profiles() @@ -1105,7 +1105,9 @@ if ans == 'CMD_ADDHAT': hat = uhat + aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat') aa[profile][hat]['flags'] = aa[profile][profile]['flags'] + changed[profile] = True elif ans == 'CMD_USEDEFAULT': hat = default_hat elif ans == 'CMD_DENY': @@ -1590,6 +1592,10 @@ UI_SelectUpdatedRepoProfile(profile, p) found += 1 + + sev_db.unload_variables() + sev_db.load_variables(get_profile_filename(profile)) + # Sorted list of hats with the profile name coming first hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys()))) if log_dict[aamode][profile].get(profile, False): @@ -2305,7 +2311,7 @@ reload_base(profile_name) def get_pager(): - pass + return 'less' def generate_diff(oldprofile, newprofile): oldtemp = tempfile.NamedTemporaryFile('w') @@ -2504,7 +2510,7 @@ except: fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir) - for file in os.listdir(profile_dir): + for file in os.listdir(extra_profile_dir): if os.path.isfile(extra_profile_dir + '/' + file): if is_skippable_file(file): continue === modified file 'utils/apparmor/common.py' --- utils/apparmor/common.py 2015-12-17 22:38:02 +0000 +++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000 @@ -245,11 +245,12 @@ return False return True +if sys.version_info[0] > 2: + unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str. + def type_is_str(var): ''' returns True if the given variable is a str (or unicode string when using python 2)''' - if type(var) == str: - return True - elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type + if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type return True else: return False === modified file 'utils/apparmor/logparser.py' --- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000 +++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000 @@ -133,7 +133,7 @@ ev['denied_mask'] = event.denied_mask ev['request_mask'] = event.requested_mask ev['magic_token'] = event.magic_token - if ev['operation'] and self.op_type(ev['operation']) == 'net': + if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol): ev['family'] = event.net_family ev['protocol'] = event.net_protocol ev['sock_type'] = event.net_sock_type @@ -278,7 +278,7 @@ self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile']) elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or - e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src', + e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src', 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link', 'sysctl', 'getattr', 'setattr', 'xattr'] ): @@ -289,6 +289,13 @@ self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) return None + # sometimes network events come with an e['operation'] that matches the list of file operations + # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374 + # XXX these events are network events, so we should map them as such + if 'send' in e['request_mask'] or 'receive' in e['request_mask']: + self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e) + return None + # Map c (create) and d (delete) to w (logging is more detailed than the profile language) rmask = e['request_mask'] rmask = rmask.replace('c', 'w') === modified file 'utils/apparmor/rule/__init__.py' --- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000 +++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000 @@ -312,10 +312,13 @@ # delete rules that are covered by include files if include_rules: - for rule in self.rules: - if include_rules.is_covered(rule, True, True): - self.delete(rule) + oldrules = self.rules + self.rules = [] + for rule in oldrules: + if include_rules.is_covered(rule, True, False): deleted += 1 + else: + self.rules.append(rule) # de-duplicate rules inside the profile deleted += self.delete_in_profile_duplicates() === modified file 'utils/test/test-capability.py' --- utils/test/test-capability.py 2015-11-23 23:22:37 +0000 +++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000 @@ -817,7 +817,6 @@ inc.add(CapabilityRule.parse(rule)) expected_raw = [ - ' allow capability sys_admin,', # XXX huh? should be deleted! ' deny capability chgrp, # example comment', '', ] @@ -825,11 +824,9 @@ expected_clean = [ ' deny capability chgrp, # example comment', '', - ' allow capability sys_admin,', # XXX huh? should be deleted! - '', ] - self.assertEqual(self.ruleset.delete_duplicates(inc), 1) + self.assertEqual(self.ruleset.delete_duplicates(inc), 2) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor