Ubuntu
rsyslog package

Merge ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-enable-apparmor-dep8-take4-dot-d into ubuntu/+source/rsyslog:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/rsyslog
  3. lunar-rsyslog-enable-apparmor-dep8-take4-dot-d
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 76271daab8cbf6a7bf649bd3e5a3c2e15139d8c1
Proposed branch: ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-enable-apparmor-dep8-take4-dot-d
Merge into: ubuntu/+source/rsyslog:ubuntu/devel
Diff against target: 774 lines (+556/-24)
26 files modified
debian/NEWS (+30/-0)
debian/README.apparmor (+132/-0)
debian/README.apparmor.rsyslog.d (+16/-0)
debian/apparmor/rsyslog-gnutls.apparmor (+3/-0)
debian/apparmor/rsyslog-mysql.apparmor (+20/-0)
debian/apparmor/rsyslog-openssl.apparmor (+3/-0)
debian/apparmor/rsyslog-pgsql.apparmor (+9/-0)
debian/changelog (+42/-0)
debian/reload-apparmor-profile (+14/-0)
debian/rsyslog-gnutls.install (+1/-0)
debian/rsyslog-mysql.install (+1/-0)
debian/rsyslog-openssl.install (+1/-0)
debian/rsyslog-pgsql.install (+1/-0)
debian/rsyslog.dirs (+1/-1)
debian/rsyslog.docs (+1/-0)
debian/rsyslog.install (+2/-0)
debian/rsyslog.postinst (+7/-0)
debian/rsyslog.preinst (+0/-15)
debian/rsyslog.service (+2/-0)
debian/tests/apparmor-include-mechanism (+92/-0)
debian/tests/control (+19/-0)
debian/tests/simple-logger (+36/-0)
debian/tests/simple-mysql (+42/-0)
debian/tests/simple-pgsql (+38/-0)
debian/tests/utils (+41/-0)
debian/usr.sbin.rsyslogd (+2/-8)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Athos Ribeiro (community) Approve
Simon Déziel (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Reporter Pending
Review via email: mp+436955@code.launchpad.net

Description of the change

Enable apparmor in enforce mode by default on fresh installs. UPDATE: upgrades from older versions (< $this-version) WILL change the confinement status.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/rsyslog-apparmor-dep8-take4/

LP won't run the DEP8 tests because this package never had such tests before, so you will have to run them locally. Bileto also didn't work, they are queued up for days (and against an older version of this work, so don't bother): https://bileto.ubuntu.com/#/ticket/4980

This is take 4 of my experiments with enforcing apparmor on rsyslog. How it works is documented in the new d/README.apparmor file.

It's a lot of delta to add at first glance, but I think it's easy to maintain as it's mostly new files, and small touches in existing ones. More importantly, no dependency or packaging changes, and we have tests :)

I checked the whole archive (with apt-file find) for packages that install files in /etc/rsyslog.d, looking for the ones that would violate the current apparmor rules (I know this misses packages that generate those config files in postinst). I found two:

prometheus-postfix-exporter
This package adds a rsyslog config that tells it to log mail messages to /var/lib/prometheus/postfix-exporter/mail.log, which is not covered by the apparmor profile. I used this package as an example to show what maintainers can do in such a case, and pushed it to the same PPA, and this branch:

https://code.launchpad.net/~ahasenack/ubuntu/+source/prometheus-postfix-exporter/+git/prometheus-postfix-exporter/+ref/lunar-prometheus-postfix-exporter-rsyslog-apparmor

The change is simple (I think):

https://git.launchpad.net/~ahasenack/ubuntu/+source/prometheus-postfix-exporter/commit/?id=dac36355f663bdc1eaf8aac164865b9d19b028f2

UPDATE 2022-02-11: that is no longer needed, as debian's latest upload of this package gave up on the custom mail.log file and is now using the normal /var/log/mail.log one, which is covered by the normal rsyslog apparmor profile.

octopussy
This one I didn't bother updating, because a) it's removed from debian; b) it's broken even without these apparmor changes. But the change would be the same approach as prometheus-postfix-exporter. It is piping logs to a fifo, so we would need an extra apparmor rule for that.

I still have other bin:rsyslog-* packages (from src:rsyslog) to go over, but the approach is the same, and I think it's time to get this reviewed and hopefully uploaded.

# Sending to debian
Before sending any of this to debian, we need to see how it will work out in practice for us.

# Merge from debian
There is a new debian upload which needs merging, and I commit to that after this branch.

# Take4? What's in take1, 2, and 3?

Just as a summary of what I tried previously, in case you are wondering "why didn't you try X?". If you want more details about those attempts, ask.

## Triggers
Work beautifully, but run too late. I found out many packages (part of rsyslog, and third party ones) restart rsyslog in their postinst, even though there is a trigger for that (just place a file in /etc/rsyslog.d and the trigger will restart rsyslog at the end of the apt/dpkg transaction). This meant that for a while rsyslog would be running without the apparmor changes applied by the trigger, and that was enough to cause it to fail

## Config file analysis
This looked promising, and I can still use it in the future if I want, but as the sole method of adjusting the apparmor profile, it's complicated. I can easily enough get a full dump of the whole config file, with all the included files, but the problem is that rsyslog supports 3 config languages: very old syslog, old syslog, and current rainer script. The last two ones are hard to parse, as can be multi-line and have "if" statements and so on. "grep" only takes me so far. I can still use this for some cases, at least to warn the user that something might not work, like when the "omprog" plugin is used (or pipe), as this one can call out to any binary on the system, anywhere.

To post a comment you must log in.
Revision history for this message
Simon Déziel (sdeziel) wrote :

Thanks for working on this, I'll happily take it for a test drive!

You cannot include <rsyslog/include.d/*.apparmor> but you can include a whole directory:

  include if exists <rsyslog/include.d/>

What do you think?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> include if exists <rsyslog/include.d/>

I briefly looked at the manpage and didn't see this option mentioned, of including whole directories. I'll search again, but if you have a direct link to it, I'd appreciate it :)

I'm curious to see what types of files does this include, if it's all files regardless of extension (bad), or something else.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I didn't find any mention in the man page but figured it with trial/error.

IMHO, having it include everything isn't that big of a deal. Putting a notice in commented out text in /etc/apparmor.d/rsyslog/include.d/README should make it clear to everyone. Something like this:

# Every file under /etc/apparmor.d/rsyslog/include.d/
# is included by the rsyslog Apparmor profile

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> IMHO, having it include everything isn't that big of a deal.

We can't have it include everything. Think of *.dpkg-new, *.conf~, *~ backup files, editor temp files, even this README, etc.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I think the parser already skips the *.dpkg-new etc files:

https://sources.debian.org/src/apparmor/3.0.8-2/parser/parser_main.c/#L1329
https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L127
https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65

static struct ignored_suffix_t ignored_suffixes[] = {
 /* Debian packging files, which are in flux during install
           should be silently ignored. */
 { ".dpkg-new", 9, 1 },
 { ".dpkg-old", 9, 1 },
 { ".dpkg-dist", 10, 1 },
 { ".dpkg-bak", 9, 1 },
 { ".dpkg-remove", 12, 1 },
 /* Archlinux packaging files */
 { ".pacsave", 8, 1 },
 { ".pacnew", 7, 1 },
 /* RPM packaging files have traditionally not been silently
           ignored */
 { ".rpmnew", 7, 0 },
 { ".rpmsave", 8, 0 },
 /* patch file backups/conflicts */
 { ".orig", 5, 0 },
 { ".rej", 4, 0 },
 /* Backup files should be mentioned */
 { "~", 1, 0 },
 { NULL, 0, 0 }
};

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Any idea why this isn't documented? It was just forgotten, or is this an experimental feature, or a happy side effect of something else? I just don't want to rely on something that could go away all of a sudden, or change behavior unexpectedly, and then hear "you were relying on undocumented behavior, sorry" ;)

Revision history for this message
Simon Déziel (sdeziel) wrote (last edit ):

If the `ignored_suffixes` thing is officially supported, including a README file containing a few lines starting with "# " shouldn't matter too much, wouldn't it?

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

The code to ignore certain file extensions is also replicated in the Python code that sits under utils/apparmor/:

https://git.launchpad.net/ubuntu/+source/apparmor/tree/utils/apparmor/rule/include.py#n141
https://git.launchpad.net/ubuntu/+source/apparmor/tree/utils/apparmor/common.py#n174

The feature is undocumented, but seems to be something formally supported by the project.

Also, README files are ignored so you shouldn't need to prefix its lines with a comment.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for these links, Sergio, and the discussion in our standup. I'll proceed with making the changes to use a single include directory.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I force-pushed changes to use a include directory without the intermediate generated file. Opening up for review again.

Revision history for this message
Simon Déziel (sdeziel) wrote :

LGTM, my only small observation is that reload-apparmor-profile could well be using `/bin/sh` instead of `/bin/bash`.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> LGTM, my only small observation is that reload-apparmor-profile could well be
> using `/bin/sh` instead of `/bin/bash`.

Indeed, it got even simpler now. Switched.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

After a brief exchange in ubuntu-devel, I added a commit that changes the upgrade behavior of the package.

If upgrading from a version older than this one, apparmor will be enabled. In this way, if someone decides to disable apparmor after this update, it will remain so.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks, Andreas!

This LGTM. I do appreciate you took the time to write documentation in different places here.

I added a few inline comments, mostly regarding the DEP8 tests introduced here.

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Made the last changes, uploaded a new build to the ppa (ppa17).

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I ran the tests locally on amd64:
autopkgtest [15:19:42]: @@@@@@@@@@@@@@@@@@@@ summary
apparmor-include-mechanism PASS
simple-logger PASS
simple-mysql PASS
simple-pgsql PASS

real 2m27,433s

We will only be able to run them in the ppa, with all architectures, once the package with at least one DEP8 test is uploaded and migrates.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks for the changes and verification, Andreas. LGTM.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, athos-ribeiro
Uploaders: ahasenack, athos-ribeiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded:
Uploading rsyslog_8.2210.0-3ubuntu2.dsc
Uploading rsyslog_8.2210.0-3ubuntu2.debian.tar.xz
Uploading rsyslog_8.2210.0-3ubuntu2_source.buildinfo
Uploading rsyslog_8.2210.0-3ubuntu2_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/NEWS b/debian/NEWS
index 35058fa..1421f59 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,33 @@
1rsyslog (8.2210.0-3ubuntu2) lunar; urgency=medium
2
3 The apparmor profile of rsyslog now defaults to be enforced on a fresh
4 install and upgrades from an earlier version. Upgrades from this version
5 forward won't change the enforcement status.
6
7 Packages that add an rsyslog configuration that might be blocked by the
8 apparmor profile, can add an apparmor configuration snippet in
9
10 /etc/apparmor.d/rsyslog.d/
11
12 This file should preferably be named like <pkg>.apparmor, but only standard
13 backup extensions are excluded. See
14 https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L68
15 for a list.
16
17 When the rsyslog service is started, its systemd unit file first executes
18 the /usr/lib/rsyslog/reload-apparmor-profile script via ExecStartPre. That
19 script will reload the rsyslogd apparmor profile including the configuration
20 snippets in /etc/apparmor.d/rsyslogd.d/, if any.
21
22 The confinement status is not changed.
23
24 After this, the unit proceeds to start rsyslog as usual.
25
26 For more information, check the README.apparmor file in the documentation
27 directory of this package.
28
29 -- Andreas Hasenack <andreas@canonical.com> Sun, 05 Feb 2023 15:42:31 -0300
30
1rsyslog (5.8.1-1) unstable; urgency=low31rsyslog (5.8.1-1) unstable; urgency=low
232
3 The way rsyslog processes SIGHUP has changed. It no longer does a reload33 The way rsyslog processes SIGHUP has changed. It no longer does a reload
diff --git a/debian/README.apparmor b/debian/README.apparmor
4new file mode 10064434new file mode 100644
index 0000000..ab5e706
--- /dev/null
+++ b/debian/README.apparmor
@@ -0,0 +1,132 @@
1# rsyslog and AppArmor
2
3Starting with version 8.2210.0-3ubuntu2, on fresh installs and upgrades from
4earlier versions, rsyslog will be confined by default with AppArmor in enforce
5mode.
6
7The AppArmor profile for rsyslog has a static component, and a dynamic one. It
8all starts with the main profile in `/etc/apparmor.d/usr.sbin.rsyslogd`. That
9profile has an include directive for the dynamic component in
10`/etc/apparmor.d/rsyslog.d`:
11
12 # apparmor snippets for rsyslog from other packages
13 include if exists <rsyslog.d>
14
15All files placed in `/etc/apparmor.d/rsyslog.d` will be included, with the
16exception of standard backup files like files ending in `~`, or with a suffix
17generated by `dpkg` when there was a config file prompt. The full list of
18exclusions is not really documented, but can be inspected in the source code at
19https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65.
20A `README` file is also ignored.
21
22When `rsyslog` is started, it will reload the apparmor profile, including all
23the snippets that may exist in the `rsyslog.d` include directory. This is done
24via a `ExecStartPre` call in the systemd unit file:
25
26 [Service]
27 Type=notify
28 ExecStartPre=/usr/lib/rsyslog/reload-apparmor-profile
29 ExecStart=/usr/sbin/rsyslogd -n -iNONE
30 ...
31
32Packages (and users) can place apparmor profile config file snippets in
33`/etc/apparmor.d/rsyslog.d/`. It is suggested that the filename be in the form
34of `<pkg>.apparmor`.
35
36For example, the `rsyslog-pgsql` debian package installs this file
37`/etc/apparmor.d/rsyslog.d/rsyslog-pgsql.apparmor`:
38
39 # PostgreSQL local access
40 include <abstractions/openssl>
41 include <abstractions/ssl_certs>
42 /etc/gss/mech.d/ r,
43 /etc/gss/mech.d/* r,
44 /{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
45
46When `rsyslog` starts, the `reload-apparmor-profile` will run and
47reload the `rsyslogd` apparmor profile just before rsyslogd itself is
48started. Note that the enforcement status of the profile (enforce, complain) is
49not changed.
50
51
52# Troubleshooting
53
54When rsyslog gets something denied, particularly if it's in an output module,
55it will retry a few times and eventually give up. It usually won´t crash, so
56the only way to notice something is wrong is by inspecting the logs, or, well,
57by noticing something isn't working, like logging to a database.
58
59Here are the most useful troubleshooting tips.
60
61
62## Watch the logs
63
64Look for rsyslog errors in the logs, particularly `/var/log/syslog`, or via
65`journalctl -u rsyslog.service -f`. For example, when it can't connect to a
66local MySQL server, messages like these will appear:
67
68 Jan 31 17:27:15 sender rsyslogd[82257]: ommysql: db error (2002): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13) [v8.2210.0]
69 Jan 31 17:27:15 sender rsyslogd[82257]: action 'action-8-ommysql' suspended (module 'ommysql'), retry 0. There should be messages before this one giving the reason for suspe>
70
71
72## Inspect dmesg/apparmor
73
74If the rsyslog apparmor profile is interfering with rsyslog, there will be
75messages about it in the `dmesg` output (or in the audit log, if `auditd` is
76installed). For example, for the mysql case:
77
78 [Tue Feb 7 12:35:28 2023] audit: type=1400 audit(1675773329.453:84): apparmor="DENIED" operation="connect" class="file" profile="rsyslogd" name="/run/mysqld/mysqld.sock" pid=15495 comm=72733A6D61696E20513A526567 requested_mask="wr" denied_mask="wr" fsuid=101 ouid=107
79
80Since the rsyslog apparmor profile now may include multiple files from
81`/etc/apparmor.d/rsyslog.d`, it helps to visualize the whole profile as one
82file. The `apparmor_parser` command can be used for that with the `-p` option:
83
84 # apparmor_parser -p /etc/apparmor.d/usr.sbin.rsyslogd
85 ...
86 ##included <rsyslog.d/rsyslog-mysql.apparmor>
87 # MySQL local server access
88 ...
89
90This will show all included files, including abstractions.
91
92
93# Example
94
95Here is an example of what it would look like to adapt a package that ships a
96rsyslog configuration that needs the rsyslog apparmor profile to be adjusted.
97
98The `prometheus-postfix-exporter` adds an rsyslog config that has it write logs
99to `/var/lib/prometheus/postfix-exporter/mail.log`, which is not allowed by the
100base rsyslog apparmor profile.
101
102This is what the fix for this package would look like:
103
104```diff
105
106diff --git a/debian/dirs b/debian/dirs
107index 6d3533d..50d9ad8 100644
108--- a/debian/dirs
109+++ b/debian/dirs
110@@ -1,3 +1,4 @@
111 etc/rsyslog.d
112+etc/apparmor.d/rsyslog.d
113 var/lib/prometheus/postfix-exporter
114 var/log/prometheus
115diff --git a/debian/rsyslog-prometheus-postfix-exporter.apparmor b/debian/rsyslog-prometheus-postfix-exporter.apparmor
116new file mode 100644
117index 0000000..1b9f85f
118--- /dev/null
119+++ b/debian/rsyslog-prometheus-postfix-exporter.apparmor
120@@ -0,0 +1 @@
121+ /var/lib/prometheus/postfix-exporter/mail.log rw,
122diff --git a/debian/rules b/debian/rules
123index e8ce2f9..ffcf383 100755
124--- a/debian/rules
125+++ b/debian/rules
126@@ -16,3 +16,5 @@ override_dh_auto_install:
127 dh_auto_install -- --no-source
128 install -m644 debian/rsyslog.conf \
129 debian/$(BINNAME)/etc/rsyslog.d/$(BINNAME).conf
130+ install -m644 debian/rsyslog-prometheus-postfix-exporter.apparmor \
131+ debian/$(BINNAME)/etc/apparmor.d/rsyslog.d
132```
diff --git a/debian/README.apparmor.rsyslog.d b/debian/README.apparmor.rsyslog.d
0new file mode 100644133new file mode 100644
index 0000000..030b9b9
--- /dev/null
+++ b/debian/README.apparmor.rsyslog.d
@@ -0,0 +1,16 @@
1# This directory is meant to be used by packages that need to augment the
2# existing rsyslogd profile with extra rules. All files in here will be
3# included by the /etc/apparmor.d/usr.sbin.rsyslogd profile, subject to the
4# exclusion rules defined in
5#
6# https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65
7#
8# and
9#
10# https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L132
11#
12# Please check the README.apparmor file in the documentation directory of the
13# rsyslog package for more information.
14#
15# For the usual overrides and other additions by local administrators, please
16# use the /etc/apparmor.d/local/ mechanism.
diff --git a/debian/apparmor/rsyslog-gnutls.apparmor b/debian/apparmor/rsyslog-gnutls.apparmor
0new file mode 10064417new file mode 100644
index 0000000..9d5147e
--- /dev/null
+++ b/debian/apparmor/rsyslog-gnutls.apparmor
@@ -0,0 +1,3 @@
1# GnuTLS library rules
2
3 /etc/gnutls/config r,
diff --git a/debian/apparmor/rsyslog-mysql.apparmor b/debian/apparmor/rsyslog-mysql.apparmor
0new file mode 1006444new file mode 100644
index 0000000..0f9ad34
--- /dev/null
+++ b/debian/apparmor/rsyslog-mysql.apparmor
@@ -0,0 +1,20 @@
1# MySQL local server access
2
3include <abstractions/openssl>
4
5/etc/mysql/my.cnf r,
6/etc/mysql/mysql.cnf r,
7/etc/mysql/my.cnf.fallback r,
8
9/etc/mysql/conf.d/ r,
10/etc/mysql/conf.d/mysql.cnf r,
11/etc/mysql/conf.d/mysqldump.cnf r,
12
13/etc/mysql/mysql.conf.d/ r,
14/etc/mysql/mysql.conf.d/mysql.cnf r,
15/etc/mysql/mysql.conf.d/mysqld.cnf r,
16
17/usr/share/mysql/charsets/Index.xml r,
18
19/{,var/}run/mysqld/mysqld.sock rw,
20
diff --git a/debian/apparmor/rsyslog-openssl.apparmor b/debian/apparmor/rsyslog-openssl.apparmor
0new file mode 10064421new file mode 100644
index 0000000..f561b40
--- /dev/null
+++ b/debian/apparmor/rsyslog-openssl.apparmor
@@ -0,0 +1,3 @@
1# OpenSSL library rules
2
3 /etc/ssl/openssl.cnf r,
diff --git a/debian/apparmor/rsyslog-pgsql.apparmor b/debian/apparmor/rsyslog-pgsql.apparmor
0new file mode 1006444new file mode 100644
index 0000000..3111a70
--- /dev/null
+++ b/debian/apparmor/rsyslog-pgsql.apparmor
@@ -0,0 +1,9 @@
1# PostgreSQL local access
2
3include <abstractions/openssl>
4include <abstractions/ssl_certs>
5
6/etc/gss/mech.d/ r,
7/etc/gss/mech.d/* r,
8/{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
9
diff --git a/debian/changelog b/debian/changelog
index b470943..b782302 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,45 @@
1rsyslog (8.2210.0-3ubuntu2) lunar; urgency=medium
2
3 * Support apparmor profile snippets:
4 - d/usr.sbin.rsyslogd: add "include if exists" for the rsyslog.d
5 directory, and remove the now unnecessary mysql and postgresql
6 sections
7 - d/rsyslog.preinst: don't disable the apparmor profile on install
8 - d/rsyslog.postinst: remove disabling of apparmor on upgrades if we
9 are upgrading from a version older than $now.
10 - d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d/
11 - d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
12 profile for mysql plugin
13 - d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
14 profile for postgresql plugin
15 - d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
16 apparmor profile for the gnutls plugin
17 - d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
18 apparmor profile for the openssl plugin
19 - New script to reload apparmor profile:
20 + d/rsyslog.service: reload apparmor profile in ExecStartPre and
21 set StandardError to journal so we can see errors from the
22 script
23 + d/rsyslog.install: install reload-apparmor-profile
24 + d/reload-apparmor-profile: script to reload the
25 rsyslogd apparmor profile
26 - d/NEWS: add info about apparmor changes in the Ubuntu packaging
27 - d/rsyslog.docs, d/README.apparmor: explains how the dynamic
28 component of the rsyslog apparmor profile is applied
29 - d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
30 README file in the apparmor include directory for rsyslog
31 * Add DEP8 tests (LP: #1906333):
32 - d/t/control, d/t/simple-logger: simple logger test
33 - d/t/utils: common function(s)
34 - d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a
35 MySQL server
36 - d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a
37 PostgreSQL server
38 - d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d
39 include mechanism used by the rsyslog apparmor profile
40
41 -- Andreas Hasenack <andreas@canonical.com> Fri, 17 Feb 2023 14:22:27 -0300
42
1rsyslog (8.2210.0-3ubuntu1) lunar; urgency=low43rsyslog (8.2210.0-3ubuntu1) lunar; urgency=low
244
3 * Merge from Debian unstable. Remaining changes:45 * Merge from Debian unstable. Remaining changes:
diff --git a/debian/reload-apparmor-profile b/debian/reload-apparmor-profile
4new file mode 10075546new file mode 100755
index 0000000..25c39e3
--- /dev/null
+++ b/debian/reload-apparmor-profile
@@ -0,0 +1,14 @@
1#!/bin/sh
2
3apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
4include_dir="/etc/apparmor.d/rsyslog.d"
5
6[ -f "${apparmor_profile}" ] || exit 0
7[ -d "${include_dir}" ] || exit 0
8aa-status --enabled 2>/dev/null || exit 0
9
10apparmor_parser -r -W -T "${apparmor_profile}" || {
11 echo "Failed to reload the ${apparmor_profile} apparmor profile, continuing anyway" >&2
12}
13
14exit 0
diff --git a/debian/rsyslog-gnutls.install b/debian/rsyslog-gnutls.install
index c5784ce..4579469 100644
--- a/debian/rsyslog-gnutls.install
+++ b/debian/rsyslog-gnutls.install
@@ -1 +1,2 @@
1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmnsd_gtls.so1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmnsd_gtls.so
2debian/apparmor/rsyslog-gnutls.apparmor etc/apparmor.d/rsyslog.d/
diff --git a/debian/rsyslog-mysql.install b/debian/rsyslog-mysql.install
index 9de8064..fedff5c 100644
--- a/debian/rsyslog-mysql.install
+++ b/debian/rsyslog-mysql.install
@@ -1,2 +1,3 @@
1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/ommysql.so1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/ommysql.so
2debian/rsyslog-mysql.conf.template usr/share/rsyslog-mysql/2debian/rsyslog-mysql.conf.template usr/share/rsyslog-mysql/
3debian/apparmor/rsyslog-mysql.apparmor etc/apparmor.d/rsyslog.d/
diff --git a/debian/rsyslog-openssl.install b/debian/rsyslog-openssl.install
index 492defb..bc5358e 100644
--- a/debian/rsyslog-openssl.install
+++ b/debian/rsyslog-openssl.install
@@ -1 +1,2 @@
1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmnsd_ossl.so1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmnsd_ossl.so
2debian/apparmor/rsyslog-openssl.apparmor etc/apparmor.d/rsyslog.d/
diff --git a/debian/rsyslog-pgsql.install b/debian/rsyslog-pgsql.install
index 3fb57d3..946fe3f 100644
--- a/debian/rsyslog-pgsql.install
+++ b/debian/rsyslog-pgsql.install
@@ -1,2 +1,3 @@
1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/ompgsql.so1usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/ompgsql.so
2debian/rsyslog-pgsql.conf.template usr/share/rsyslog-pgsql/2debian/rsyslog-pgsql.conf.template usr/share/rsyslog-pgsql/
3debian/apparmor/rsyslog-pgsql.apparmor etc/apparmor.d/rsyslog.d/
diff --git a/debian/rsyslog.dirs b/debian/rsyslog.dirs
index 93f7b6a..1fdfad8 100644
--- a/debian/rsyslog.dirs
+++ b/debian/rsyslog.dirs
@@ -3,4 +3,4 @@
3/etc/apparmor.d/force-complain/3/etc/apparmor.d/force-complain/
4/etc/apparmor.d/disable/4/etc/apparmor.d/disable/
5/etc/apparmor.d/local/5/etc/apparmor.d/local/
66/etc/apparmor.d/rsyslog.d/
diff --git a/debian/rsyslog.docs b/debian/rsyslog.docs
index 62deb04..336a33e 100644
--- a/debian/rsyslog.docs
+++ b/debian/rsyslog.docs
@@ -1 +1,2 @@
1AUTHORS1AUTHORS
2debian/README.apparmor
diff --git a/debian/rsyslog.install b/debian/rsyslog.install
index 5455991..66cd7b1 100755
--- a/debian/rsyslog.install
+++ b/debian/rsyslog.install
@@ -3,6 +3,7 @@ debian/rsyslog.conf etc/
3debian/00rsyslog.conf usr/lib/tmpfiles.d/3debian/00rsyslog.conf usr/lib/tmpfiles.d/
4debian/50-default.conf /usr/share/rsyslog4debian/50-default.conf /usr/share/rsyslog
5debian/rsyslog-rotate usr/lib/rsyslog/5debian/rsyslog-rotate usr/lib/rsyslog/
6debian/reload-apparmor-profile usr/lib/rsyslog/
6usr/sbin/7usr/sbin/
7usr/share/man/man5/8usr/share/man/man5/
8usr/share/man/man8/9usr/share/man/man8/
@@ -39,4 +40,5 @@ usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/pm*.so
39[linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/imjournal.so40[linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/imjournal.so
40[linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/omjournal.so41[linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/omjournal.so
41debian/usr.sbin.rsyslogd etc/apparmor.d/42debian/usr.sbin.rsyslogd etc/apparmor.d/
43debian/README.apparmor.rsyslog.d => etc/apparmor.d/rsyslog.d/README
42debian/dmesg.service lib/systemd/system44debian/dmesg.service lib/systemd/system
diff --git a/debian/rsyslog.postinst b/debian/rsyslog.postinst
index efc6d08..ea93fbf 100644
--- a/debian/rsyslog.postinst
+++ b/debian/rsyslog.postinst
@@ -44,6 +44,13 @@ case "$1" in
44 if dpkg --compare-versions "$2" lt-nl "8.2110.0-2"; then44 if dpkg --compare-versions "$2" lt-nl "8.2110.0-2"; then
45 update-rc.d -f rsyslog remove || true45 update-rc.d -f rsyslog remove || true
46 fi46 fi
47
48 if dpkg --compare-versions "$2" lt-nl "8.2210.0-3ubuntu2~"; then
49 # In this version we removed the disabling of the rsyslog apparmor
50 # profile, i.e., it's enabled by default. Gate on it to avoid
51 # re-enabling it if the user has explicitly disabled it afterwards.
52 rm -f /etc/apparmor.d/disable/usr.sbin.rsyslogd
53 fi
47 ;;54 ;;
4855
49 triggered)56 triggered)
diff --git a/debian/rsyslog.preinst b/debian/rsyslog.preinst
index 7e86bb8..2f726ab 100644
--- a/debian/rsyslog.preinst
+++ b/debian/rsyslog.preinst
@@ -6,19 +6,4 @@ if [ "$1" = "install" ] && [ -n "$2" ] ; then
6 [ -f /etc/logrotate.d/rsyslog.disabled ] && mv -f /etc/logrotate.d/rsyslog.disabled /etc/logrotate.d/rsyslog6 [ -f /etc/logrotate.d/rsyslog.disabled ] && mv -f /etc/logrotate.d/rsyslog.disabled /etc/logrotate.d/rsyslog
7fi7fi
88
9disable_profile() {
10 APP_CONFFILE="/etc/apparmor.d/usr.sbin.rsyslogd"
11 APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.rsyslogd"
12 # Create a symlink to the yet-to-be-unpacked profile
13 if [ ! -e "$APP_CONFFILE" ]; then
14 mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
15 ln -sf $APP_CONFFILE $APP_DISABLE
16 fi
17}
18
19if [ "$1" = "install" ]; then
20 # Disable AppArmor profile on install
21 disable_profile
22fi
23
24#DEBHELPER#9#DEBHELPER#
diff --git a/debian/rsyslog.service b/debian/rsyslog.service
index c64a9ea..0d24b10 100644
--- a/debian/rsyslog.service
+++ b/debian/rsyslog.service
@@ -7,8 +7,10 @@ Documentation=https://www.rsyslog.com/doc/
77
8[Service]8[Service]
9Type=notify9Type=notify
10ExecStartPre=/usr/lib/rsyslog/reload-apparmor-profile
10ExecStart=/usr/sbin/rsyslogd -n -iNONE11ExecStart=/usr/sbin/rsyslogd -n -iNONE
11StandardOutput=null12StandardOutput=null
13StandardError=journal
12Restart=on-failure14Restart=on-failure
1315
14# Increase the default a bit in order to allow many simultaneous16# Increase the default a bit in order to allow many simultaneous
diff --git a/debian/tests/apparmor-include-mechanism b/debian/tests/apparmor-include-mechanism
15new file mode 10075517new file mode 100755
index 0000000..728d17f
--- /dev/null
+++ b/debian/tests/apparmor-include-mechanism
@@ -0,0 +1,92 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6include_dir="/etc/apparmor.d/rsyslog.d"
7apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
8declare -i ret
9ret=0
10
11cleanup() {
12 rm -f "${include_dir}"/do-not-include*
13 rm -f "${include_dir}"/README
14 rm -f "${include_dir}"/pkg1.apparmor
15 rm -f "${include_dir}"/randomfile
16}
17
18trap cleanup EXIT
19
20standard_backup_files_are_not_included() {
21 local -a ignored_suffixes
22 local -a exclusions
23 local -a inclusions
24 local -i lines=0
25 local fname
26 local suffix
27 local full_profile
28
29 cleanup
30
31 # taken from https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65
32 # and https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L133
33 ignored_suffixes=(.dpkg-new .dpkg-old .dpkg-dist .dpkg-bak .dpkg-remove .pacsave .pacnew .rpmnew .rpmsave .orig .rej \~)
34 exclusions+=("README" ".somedotfile")
35 for suffix in "${ignored_suffixes[@]}"; do
36 exclusions+=("do-not-include${suffix}")
37 done
38
39 echo "## Files with known backup extensions, that start with a dot, and a README file, are not included. Testing with:"
40 echo "${exclusions[*]}"
41 echo
42
43 for fname in "${exclusions[@]}"; do
44 echo "# BUG this should not be included: ${fname}" > "${include_dir}/${fname}"
45 done
46
47 # just a few, for a sanity check
48 inclusions=(pkg1.apparmor randomfile)
49 echo "## These, however, should be included: ${inclusions[*]}"
50 for fname in "${inclusions[@]}"; do
51 echo "# must be included: ${fname}" > "${include_dir}/${fname}"
52 done
53
54 echo "## Generated test files:"
55 ls -la /etc/apparmor.d/rsyslog.d/
56
57 full_profile=$(apparmor_parser -p "${apparmor_profile}")
58
59 echo "## Verifying that none of the excluded files were included in the apparmor profile:"
60 if echo "${full_profile}" | grep -F "BUG this should not be included"; then
61 return 1 # the caller will print ## FAIL
62 else
63 echo "## OK"
64 fi
65
66 echo "## Verifying that all the allowed files were included:"
67 lines=$(echo "${full_profile}" | grep -F "must be included" | wc -l)
68 if [ ${lines} -ne ${#inclusions[@]} ]; then
69 echo "## Found ${lines} inclusions, expected ${#inclusions[@]}"
70 return 1
71 fi
72}
73
74
75for t in \
76 standard_backup_files_are_not_included; do
77
78 echo
79 if "${t}"; then
80 echo "## OK"
81 else
82 ret=1
83 echo "## FAIL"
84 fi
85done
86
87echo
88if [ ${ret} -ne 0 ]; then
89 echo "## One or more tests FAILED"
90fi
91
92exit ${ret}
diff --git a/debian/tests/control b/debian/tests/control
0new file mode 10064493new file mode 100644
index 0000000..89703c0
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,19 @@
1Tests: apparmor-include-mechanism
2Depends: rsyslog, apparmor
3Restrictions: needs-root allow-stderr
4
5Tests: simple-logger
6Depends: rsyslog, bsdutils, apparmor-utils, uuid-runtime
7Restrictions: needs-root
8
9Tests: simple-mysql
10# rsyslog-mysql has to be installed by the test script, because it pulls in dbconfig-common
11# which will be setup *before* mysql-server is configured and running, which fails.
12Depends: bsdutils, apparmor-utils, mysql-server, uuid-runtime
13Restrictions: needs-root
14
15Tests: simple-pgsql
16# rsyslog-pgsql has to be installed by the test script, because it pulls in dbconfig-common
17# which will be setup *before* postgresql is configured and running, which fails.
18Depends: bsdutils, apparmor-utils, postgresql, postgresql-client, uuid-runtime
19Restrictions: needs-root
diff --git a/debian/tests/simple-logger b/debian/tests/simple-logger
0new file mode 10075520new file mode 100755
index 0000000..1c38834
--- /dev/null
+++ b/debian/tests/simple-logger
@@ -0,0 +1,36 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6# make sure we are confined and in enforce mode for this test, if supported
7apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
8if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
9 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
10
11elif [ ! -f "${apparmor_profile}" ]; then
12 echo "No ${apparmor_profile} file, not touching apparmor status"
13
14elif ! aa-status --enabled 2>/dev/null; then
15 echo "Apparmor disabled (aa-status)"
16
17else
18 echo "Enforcing the ${apparmor_profile} apparmor profile"
19 aa-enforce "${apparmor_profile}"
20fi
21
22message="logger-test-value=$(uuidgen)"
23
24echo "Logging message: ${message}"
25logger --id=$$ --priority user.notice "${message}"
26
27logs=$(tail -n 10 /var/log/syslog)
28if echo "${logs}" | grep -qE "${message}"; then
29 echo "Message correctly found in system logs"
30else
31 echo "Failed to find message \"${message}\" in /var/log/syslog"
32 echo "Last 5 lines are:"
33 echo "${logs}"
34 exit 1
35fi
36
diff --git a/debian/tests/simple-mysql b/debian/tests/simple-mysql
0new file mode 10075537new file mode 100755
index 0000000..036f1af
--- /dev/null
+++ b/debian/tests/simple-mysql
@@ -0,0 +1,42 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6source debian/tests/utils
7
8# make sure we are confined and in enforce mode for this test, if supported
9apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
10if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
11 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
12
13elif [ ! -f "${apparmor_profile}" ]; then
14 echo "No ${apparmor_profile} file, not touching apparmor status"
15
16elif ! aa-status --enabled 2>/dev/null; then
17 echo "Apparmor disabled (aa-status)"
18
19else
20 echo "Enforcing the ${apparmor_profile} apparmor profile"
21 aa-enforce "${apparmor_profile}"
22fi
23
24# Installing rsyslog-mysql without having a mysql DB already configured on
25# localhost fails, because the dbconfig-common postinst runs before the mysql
26# postinst. A Depends cannot be used in the packaging because the database
27# might be remote.
28# Therefore we add mysql-server to the DEP8 dependency list in d/t/control, and
29# install rsyslog-mysql from inside the test. In this way, mysql is already
30# configured when we get here.
31DEBIAN_FRONTEND=noninteractive apt-get install -y rsyslog-mysql
32
33# Values from a default install of rsyslog-mysql
34DBNAME="Syslog"
35TABLE="SystemEvents"
36
37message="logger-test-value=$(uuidgen)"
38
39echo "Logging message: ${message}"
40logger --id=$$ --priority user.notice "${message}"
41
42check_db_for_message mysql "${message}"
diff --git a/debian/tests/simple-pgsql b/debian/tests/simple-pgsql
0new file mode 10075543new file mode 100755
index 0000000..9f4c163
--- /dev/null
+++ b/debian/tests/simple-pgsql
@@ -0,0 +1,38 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6source debian/tests/utils
7
8# make sure we are confined and in enforce mode for this test, if supported
9apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
10if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
11 echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
12
13elif [ ! -f "${apparmor_profile}" ]; then
14 echo "No ${apparmor_profile} file, not touching apparmor status"
15
16elif ! aa-status --enabled 2>/dev/null; then
17 echo "Apparmor disabled (aa-status)"
18
19else
20 echo "Enforcing the ${apparmor_profile} apparmor profile"
21 aa-enforce "${apparmor_profile}"
22fi
23
24# Installing rsyslog-pgsql without having a postgresq DB already configured on
25# localhost fails, because the dbconfig-common postinst runs before the
26# postgresql postinst. A Depends cannot be used in the packaging because the
27# database might be remote.
28# Therefore we add postgresql to the DEP8 dependency list in d/t/control, and
29# install rsyslog-pgsql from inside the test. In this way, postgresql is
30# already configured when we get here.
31DEBIAN_FRONTEND=noninteractive apt-get install -y rsyslog-pgsql
32
33message="logger-test-value=$(uuidgen)"
34
35echo "Logging message: ${message}"
36logger --id=$$ --priority user.notice "${message}"
37
38check_db_for_message postgresql "${message}"
diff --git a/debian/tests/utils b/debian/tests/utils
0new file mode 10064439new file mode 100644
index 0000000..5d503ef
--- /dev/null
+++ b/debian/tests/utils
@@ -0,0 +1,41 @@
1check_db_for_message() {
2 local db="${1}"
3 local message="${2}"
4 local -i counter=10
5
6 case "${db}" in
7 mysql)
8 dbname="Syslog"
9 table="SystemEvents"
10 cmd="mysql -uroot ${dbname} --batch -N -e \"SELECT COUNT(*) FROM ${table} WHERE trim(Message) = \\\"${message}\\\";\""
11 ;;
12 postgresql)
13 dbname="Syslog"
14 table="systemevents"
15 cmd="sudo -u postgres -i psql -At -d ${dbname} -c \"SELECT COUNT(*) FROM ${table} WHERE trim(message) = '${message}';\""
16 ;;
17 *)
18 echo "Unrecognized db: ${db}"
19 return 1
20 ;;
21 esac
22 echo -n "Checking ${db} for the message (${counter} attempts): "
23 while [ ${counter} -gt 0 ]; do
24 count=$(eval "${cmd}")
25 if [ ${count} -eq 1 ]; then
26 echo
27 echo "Message correctly found in the ${db} ${dbname}.${table} table"
28 break
29 else
30 echo -n "."
31 counter=$((counter-1))
32 sleep 1s
33 continue
34 fi
35 done
36 if [ ${counter} -eq 0 ]; then
37 echo
38 echo "Failed to find message \"${message}\" in the ${db} ${dbname}.${table} table"
39 return 1
40 fi
41}
diff --git a/debian/usr.sbin.rsyslogd b/debian/usr.sbin.rsyslogd
index ab130da..3d80417 100644
--- a/debian/usr.sbin.rsyslogd
+++ b/debian/usr.sbin.rsyslogd
@@ -45,14 +45,8 @@ profile rsyslogd /usr/sbin/rsyslogd {
45 # 'r' is needed when using imfile45 # 'r' is needed when using imfile
46 /var/log/** rw,46 /var/log/** rw,
4747
48 # Add these for mysql support48 # apparmor snippets for rsyslog from other packages
49 #/etc/mysql/my.cnf r,49 include if exists <rsyslog.d>
50 #/{,var/}run/mysqld/mysqld.sock rw,
51
52 # Add thes for postgresql support
53 ##include <abstractions/openssl>
54 ##include <abstractions/ssl_certs>
55 #/{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
5650
57 # Site-specific additions and overrides. See local/README for details.51 # Site-specific additions and overrides. See local/README for details.
58 #include <local/usr.sbin.rsyslogd>52 #include <local/usr.sbin.rsyslogd>

Subscribers

People subscribed via source and target branches