Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Rings:1-MinimalX
apparmor
upstream-changes-2.10-r3385..3390.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File upstream-changes-2.10-r3385..3390.diff of Package apparmor
------------------------------------------------------------ revno: 3390 fixes bug: https://launchpad.net/bugs/1668892 committer: Tyler Hicks <tyhicks@canonical.com> branch nick: apparmor-2.10 timestamp: Fri 2017-03-24 17:39:49 +0000 message: utils: Add aa-remove-unknown utility to unload unknown profiles https://launchpad.net/bugs/1668892 This patch creates a new utility, with the code previously used in the init script 'restart' action, that removes unknown profiles which are not found in /etc/apparmor.d/. The functionality was removed from the common init script code in the fix for CVE-2017-6507. The new utility prints a message containing the name of each unknown profile before the profiles are removed. It also supports a dry run mode so that an administrator can check which profiles will be removed before unloading any unknown profiles. If you backport this utility with the fix for CVE-2017-6507 to an apparmor 2.10 release and your backported aa-remove-unknown utility is sourcing the upstream rc.apparmor.functions file, you'll want to include the following bug fix to prevent the aa-remove-unknown utility from removing child profiles that it shouldn't remove: r3440 - Fix: parser: incorrect output of child profile names Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> ------------------------------------------------------------ revno: 3389 fixes bug: https://launchpad.net/bugs/1668892 committer: Tyler Hicks <tyhicks@canonical.com> branch nick: apparmor-2.10 timestamp: Fri 2017-03-24 17:36:51 +0000 message: parser: Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 https://launchpad.net/bugs/1668892 The common AppArmor 'restart' code used by some init scripts, upstart jobs, and/or systemd units contained functionality that is no longer appropriate to retain. Any profiles not found /etc/apparmor.d/ were assumed to be obsolete and were unloaded. That behavior became problematic now that there's a growing number of projects that maintain their own internal set of AppArmor profiles outside of /etc/apparmor.d/. It resulted in the AppArmor 'restart' code leaving some important processes running unconfined. A couple examples are profiles managed by LXD and Docker. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> ------------------------------------------------------------ revno: 3388 committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Tue 2017-03-21 21:44:57 -0700 message: parser: Fix delete after new[] -- patch from Oleg Strikov <oleg.strikov@gmail.com> ------------------------------------------------------------ revno: 3387 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Thu 2017-02-23 01:01:51 +0100 message: Ignore change_hat events with error=-1 and "unconfined can not change_hat" That's much better than crashing aa-logprof ;-) (use the log line in the added testcase if you want to see the crash) Reported by pfak on IRC. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3386 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Tue 2017-02-21 18:47:43 +0100 message: Remove re.LOCALE flag Starting with python 3.6, the re.LOCALE flag can only be used with byte patterns, and errors out if used with str. This patch removes the flag in get_translated_hotkey(). References: https://bugs.launchpad.net/apparmor/+bug/1661766 Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9 ------------------------------------------------------------ revno: 3385 committer: Steve Beattie <sbeattie@ubuntu.com> branch nick: 2.10 timestamp: Wed 2017-02-01 21:44:40 -0800 message: regression tests: fix environ fail case merge from trunk commit revision 3630 In the environ regression test, when the exec() of the child process fails, we don't report FAIL to stdout, so the regression tests consider it an error rather than a failure and abort, short-circuiting the test script. This commit fixes this by emitting the FAIL message when the result from the wait() syscall indicates the child process did not succeed. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err' === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in' --- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in 2017-02-23 00:01:51 +0000 @@ -0,0 +1,1 @@ +Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 comm="apache2" === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out' --- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out 2017-02-23 00:01:51 +0000 @@ -0,0 +1,12 @@ +START +File: unconfined-change_hat.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1487719321.954:218 +Operation: change_hat +Profile: unconfined +Command: apache2 +Info: unconfined can not change_hat +ErrorCode: 1 +PID: 19941 +Epoch: 1487719321 +Audit subid: 218 === added file 'libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile' --- libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile 2017-02-23 00:01:51 +0000 @@ -0,0 +1,2 @@ +profile unconfined { +} === modified file 'parser/libapparmor_re/expr-tree.h' --- parser/libapparmor_re/expr-tree.h 2015-10-14 20:49:26 +0000 +++ parser/libapparmor_re/expr-tree.h 2017-03-22 04:44:57 +0000 @@ -672,7 +672,7 @@ ~hashedNodeVec() { - delete nodes; + delete [] nodes; } unsigned long size()const { return len; } === modified file 'parser/rc.apparmor.functions' --- parser/rc.apparmor.functions 2012-02-24 12:21:59 +0000 +++ parser/rc.apparmor.functions 2017-03-24 17:36:51 +0000 @@ -451,34 +451,7 @@ configure_owlsm parse_profiles reload - # Clean out running profiles not associated with the current profile - # set, excluding the libvirt dynamically generated profiles. - # Note that we reverse sort the list of profiles to remove to - # ensure that child profiles (e.g. hats) are removed before the - # parent. We *do* need to remove the child profile and not rely - # on removing the parent profile when the profile has had its - # child profile names changed. - profiles_names_list | awk ' -BEGIN { - while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) { - str = sub(/ \((enforce|complain)\)$/, "", $0); - if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0) - arr[$str] = $str - } -} - -{ if (length(arr[$0]) > 0) { delete arr[$0] } } - -END { - for (key in arr) - if (length(arr[key]) > 0) { - printf("%s\n", arr[key]) - } -} -' | LC_COLLATE=C sort -r | while IFS= read profile ; do - echo -n "$profile" > "$SFS_MOUNTPOINT/.remove" - done - # will not catch all errors, but still better than nothing + rc=$? aa_log_end_msg $rc return $rc === modified file 'tests/regression/apparmor/environ.c' --- tests/regression/apparmor/environ.c 2010-12-20 20:29:10 +0000 +++ tests/regression/apparmor/environ.c 2017-02-02 05:44:40 +0000 @@ -63,6 +63,8 @@ if (retval == RET_CHLD_SUCCESS) { printf("PASS\n"); retval = 0; + } else { + printf("FAIL: Child failed\n"); } } else if (pid == 0) { === modified file 'utils/Makefile' --- utils/Makefile 2015-11-18 20:29:25 +0000 +++ utils/Makefile 2017-03-24 17:39:49 +0000 @@ -24,7 +24,7 @@ PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \ aa-autodep aa-audit aa-complain aa-enforce aa-disable \ aa-status aa-unconfined -TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode +TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode aa-remove-unknown PYSETUP = python-tools-setup.py PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py) === added file 'utils/aa-remove-unknown' --- utils/aa-remove-unknown 1970-01-01 00:00:00 +0000 +++ utils/aa-remove-unknown 2017-03-24 17:39:49 +0000 @@ -0,0 +1,108 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 2017 Canonical Ltd. (All rights reserved) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# ---------------------------------------------------------------------- + +APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions +APPARMORFS=/sys/kernel/security/apparmor +PROFILES="${APPARMORFS}/profiles" +REMOVE="${APPARMORFS}/.remove" + +DRY_RUN=0 + +. $APPARMOR_FUNCTIONS + +usage() { + local progname="$1" + local rc="$2" + local msg="usage: ${progname} [options]\n +Remove profiles unknown to the system + +Options: + -h, --help Show this help message and exit + -n Dry run; don't remove profiles" + + if [ "$rc" -ne 0 ] ; then + echo "$msg" 1>&2 + else + echo "$msg" + fi + + exit "$rc" +} + +if [ "$#" -gt 1 ] ; then + usage "$0" 1 +elif [ "$#" -eq 1 ] ; then + if [ "$1" = "-h" -o "$1" = "--help" ] ; then + usage "$0" 0 + elif [ "$1" = "-n" ] ; then + DRY_RUN=1 + else + usage "$0" 1 + fi +fi + + +# We can't use a -r test here because while $PROFILES is world-readable, +# apparmorfs may still return EACCES from open() +# +# We have to do this check because error checking awk's getline() below is +# tricky and, as is, results in an infinite loop when apparmorfs returns an +# error from open(). +if ! IFS= read line < "$PROFILES" ; then + echo "ERROR: Unable to read apparmorfs profiles file" 1>&2 + exit 1 +elif [ ! -w "$REMOVE" ] ; then + echo "ERROR: Unable to write to apparmorfs remove file" 1>&2 + exit 1 +fi + +# Clean out running profiles not associated with the current profile +# set, excluding the libvirt dynamically generated profiles. +# Note that we reverse sort the list of profiles to remove to +# ensure that child profiles (e.g. hats) are removed before the +# parent. We *do* need to remove the child profile and not rely +# on removing the parent profile when the profile has had its +# child profile names changed. +profiles_names_list | awk ' +BEGIN { + while (getline < "'${PROFILES}'" ) { + str = sub(/ \((enforce|complain)\)$/, "", $0); + if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0) + arr[$str] = $str + } +} + +{ if (length(arr[$0]) > 0) { delete arr[$0] } } + +END { + for (key in arr) + if (length(arr[key]) > 0) { + printf("%s\n", arr[key]) + } +} +' | LC_COLLATE=C sort -r | \ + while IFS= read profile ; do + if [ "$DRY_RUN" -ne 0 ]; then + echo "Would remove '${profile}'" + else + echo "Removing '${profile}'" + echo -n "$profile" > "${REMOVE}" + fi + done + +# will not catch all errors, but still better than nothing +exit $? === added file 'utils/aa-remove-unknown.pod' --- utils/aa-remove-unknown.pod 1970-01-01 00:00:00 +0000 +++ utils/aa-remove-unknown.pod 2017-03-24 17:39:49 +0000 @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +aa-remove-unknown - remove unknown AppArmor profiles + +=head1 SYNOPSIS + +B<aa-remove-unknown> [option] + +=head1 DESCRIPTION + +B<aa-remove-unknown> will inventory all profiles in /etc/apparmor.d/, compare +that list to the profiles currently loaded into the kernel, and then remove all +of the loaded profiles that were not found in /etc/apparmor.d/. It will also +report the name of each profile that it removes on standard out. + +=head1 OPTIONS + +=over 4 + +=item -h, --help + +displays a short usage statement. + +=item -n + +dry run; only prints the names of profiles that would be removed + +=back + +=head1 EXAMPLES + + $ sudo ./aa-remove-unknown -n + Would remove 'test//null-/usr/bin/whoami' + Would remove 'test' + + $ sudo ./aa-remove-unknown + Removing 'test//null-/usr/bin/whoami' + Removing 'test' + +=head1 BUGS + +None. Please report any you find to Launchpad at +L<https://bugs.launchpad.net/apparmor/+filebug>. + +=head1 SEE ALSO + +apparmor(7) + +=cut === modified file 'utils/apparmor/logparser.py' --- utils/apparmor/logparser.py 2016-12-06 21:29:39 +0000 +++ utils/apparmor/logparser.py 2017-02-23 00:01:51 +0000 @@ -231,6 +231,8 @@ if e['operation'] == 'change_hat': if aamode != 'HINT' and aamode != 'PERMITTING': return None + if e['error_code'] == 1 and e['info'] == 'unconfined can not change_hat': + return None profile = e['name2'] #hat = None if '//' in e['name2']: === modified file 'utils/apparmor/ui.py' --- utils/apparmor/ui.py 2016-10-03 19:02:15 +0000 +++ utils/apparmor/ui.py 2017-02-21 17:47:43 +0000 @@ -64,8 +64,8 @@ msg = 'PromptUser: ' + _('Invalid hotkey for') # Originally (\S) was used but with translations it would not work :( - if re.search('\((\S+)\)', translated, re.LOCALE): - return re.search('\((\S+)\)', translated, re.LOCALE).groups()[0] + if re.search('\((\S+)\)', translated): + return re.search('\((\S+)\)', translated).groups()[0] else: if cmsg: raise AppArmorException(cmsg) vim:ft=diff
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
