apparmor:apparmor-2.11

Last commit made on 2021-02-12
Get this branch:
git clone -b apparmor-2.11 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.11
Repository:
lp:apparmor

Recent commits

57d56dc... by Rose Kunkel <email address hidden> on 2021-01-18

Fix nscd conflict with systemd-homed

My main user account is managed by systemd-homed. When I enable
AppArmor and have nscd running, I get inconsistent behavior with my
user account - sometimes I can't log in, sometimes I can log in but
not use sudo, etc.

This is the output of getent passwd:
  $ getent passwd
  root:x:0:0::/root:/usr/bin/zsh
  bin:x:1:1::/:/sbin/nologin
  daemon:x:2:2::/:/sbin/nologin
  mail:x:8:12::/var/spool/mail:/sbin/nologin
  ftp:x:14:11::/srv/ftp:/sbin/nologin
  http:x:33:33::/srv/http:/sbin/nologin
  nobody:x:65534:65534:Nobody:/:/sbin/nologin
  dbus:x:81:81:System Message Bus:/:/sbin/nologin
  [...]
  rose:x:1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh

But getent passwd rose and getent passwd 1000 both return no output.
Stopping nscd.service fixes these problems. Checking the apparmor
logs, I noticed that nscd was denied access to
/etc/machine-id. Allowing access to that file seems to have fixed the
issue.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/707
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/145
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit ee5303c8a056937e524ac47dcbbff02961c48265)
Signed-off-by: John Johansen <email address hidden>

939a0de... by Seth Arnold on 2020-11-15

profiles: firefox Add support for widevine DRM

Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:

Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert
...

Fixes: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1777070
Reported-by: Xav Paice <email address hidden>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/684
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 656f2103ed70387d2643ff83d510960dfd959e7f)
Signed-off-by: John Johansen <email address hidden>

2f2f8e8... by John Johansen on 2021-02-03

parser: fix --jobs so job scaling is applied correctly

job scaling allows the parser to resample the number of cpus available
and increase the number of jobs that can be launched if cpu available
increases.

Unfortunately job scaling was being applied even when a fixed number
of jobs was specified. So
  --jobs=2

doesn't actually clamp the compile at 2 jobs.

Instead job scaling should only be applied when --jobs=auto or when
jobs are set to a multiple of the cpus.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/703
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 65ba20b955ba91cd44e7a1a3f3194ea7f567dcb2)

c00b2b5... by Christian Boltz on 2020-12-09

apparmor.vim: add support for abi rules

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/690
(cherry picked from commit c421fcd38aaf6d4fccebfaf03c9f65ca00f0245c)
Signed-off-by: John Johansen <email address hidden>

ecaa87b... by Christian Boltz on 2020-11-08

aa-autodep: load abstractions on start

So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.

Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'

Prevent this crash by explicitely loading the abstractions on start.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682
(cherry picked from commit f6b3de71161f9acfa177e879017560000b7ffde8)
Signed-off-by: John Johansen <email address hidden>

97c191a... by Christian Boltz on 2020-11-16

abstractions/X: Allow (only) reading X compose cache

... (/var/cache/libx11/compose/*), and deny any write attempts

Reported by darix,
https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685
(cherry picked from commit 78bd811e2a23f55974991cd208f6a17749655c21)
Signed-off-by: John Johansen <email address hidden>

d6421c9... by John Johansen <email address hidden> on 2020-11-03

Merge [2.11] Check hotkey conflicts case-insensitive

This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations.

(cherry picked from commit 07bd11390ea16df17db7f7e6bd2c9678345d3ac5)

This is the 2.11 variant of https://gitlab.com/apparmor/apparmor/-/merge_requests/675 - and luckily the 2.11 branch doesn't have any hotkey conflicts.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/680
Acked-by: John Johansen <email address hidden>

2c10453... by Christian Boltz on 2020-10-31

Check hotkey conflicts case-insensitive

This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.

(cherry picked from commit 07bd11390ea16df17db7f7e6bd2c9678345d3ac5)

5d98b68... by Vincas Dargis on 2020-10-25

dovecot: allow reading dh.pem

Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```

This results in fatal error:

```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```

Add rule to allow reading dh.pem.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe3f54681bb8ba5d47b6fc43e4f4a034)
Signed-off-by: John Johansen <email address hidden>

11e2998... by Vincas Dargis on 2020-10-25

dovecot: allow kill signal

Dovecot might try to kill related processes:

```
type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/auth"

type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3"

type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED"
operation="signal" profile="dovecot" pid=31632 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3-login"
```
This discovered on low-power high-load machine (last resort timeout
handling?).

Update signal rule to allow SIGKILL.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 2f9d172c641bd21671721e76e0d65ba4bd914107)
Signed-off-by: John Johansen <email address hidden>