apparmor:apparmor-2.12

Last commit made on 2022-04-19
Get this branch:
git clone -b apparmor-2.12 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.12
Repository:
lp:apparmor

Recent commits

ae03462... by John Johansen <email address hidden>

Merge profiles: update snap_browsers permissions

The snap_browsers abstraction requires more permissions
due to updates on snaps.

Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
    all dbus permissions,
    @{PROC}/sys/kernel/random/uuid r,
    owner @{PROC}/@{pid}/cgroup r,
    /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```

I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/877
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit bfa67b369df97ec86b532fd686c8240ecbbd9f06)
Signed-off-by: John Johansen <email address hidden>

80400e0... by Christian Boltz

Merge Allow dovecot to use all signals

similar to commit 2f9d172c641bd21671721e76e0d65ba4bd914107
we discovered that there was a service outage
when dovecot tried to send a usr1 signal

type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 83685ba703572a119988f48b43ecae4a45b4b424)

f0919f83 Allow dovecot to use all signals

c87b4e8... by Georgia Garcia

add snap-browsers profile

Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:

audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.

Bug: https://launchpad.net/bugs/1794064

Signed-off-by: Georgia Garcia <email address hidden>
(cherry picked from commit fb3283f37ebeb2a97de1846214021af1adf2260b)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/863
Signed-off-by: Georgia Garcia <email address hidden>

6c9129d... by John Johansen <email address hidden>

Merge smbd, samba-bgqd: allow reading openssl.cnf

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10

I propose this patch for 3.0 and master. (<= 2.13 don't have the samba-bgpd profile - if we want to backport to 2.x, we'll have to pick only the smbd part.)

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/862
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

backport: drop ../profiles/apparmor.d/samba-bgqd
(cherry picked from commit c3f64513f2986d799a7c9a07f853dd300728a7b5)
Signed-off-by: John Johansen <email address hidden>

903e58a... by John Johansen <email address hidden>

Merge [2.x..3.0] aa-remove-unknown: abort on parser failure

If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.

Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0

Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```

After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```

And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```

(cherry picked from commit 5053a01d84ba980c20bff7bd53a49fd6101db316)

This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.

I propose this patch for 3.0 and all 2.x branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/859
Approved-by: Georgia Garcia <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit c6324c2a3efaa89bb173430785ab372c310c2ff7)
Signed-off-by: John Johansen <email address hidden>

c4f1ebe... by John Johansen <email address hidden>

Merge abstractions/openssl: allow /etc/ssl/{engdef,engines}.d/

These directories were introduced in openssl in https://patchwork.ozlabs<email address hidden>/

I propose this patch for 3.0 and master. Optionally also for older branches, even if it's unlikely that systems using 2.13.x or older get a new-enough openssl to need this ;-)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/818
Acked-by: John Johansen <email address hidden>
(cherry picked from commit 2b270216aa6485ed4a398e1eb57722d074ae3674)
Signed-off-by: John Johansen <email address hidden>

b5e2a73... by John Johansen <email address hidden>

Merge Add missing /proc permissions to avahi-daemon profile

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/203

MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/811
Acked-by: John Johansen <email address hidden>
(cherry picked from commit ee9e61aad284f4edbebbd7cd0e8d9ac452455958)
Signed-off-by: John Johansen <email address hidden>

c14e7cf... by Steve Beattie <email address hidden>

utils: Add new python versions to logprof.conf

Adding everything up to 3.19 should make the file future-proof for a
while ;-)

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/193
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/795
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 4559a2997cf162b0f54f602180fd352e8d2486c1)
Signed-off-by: Steve Beattie <email address hidden>

7dcda07... by Christian Boltz <email address hidden>

Merge branch 'fix-video-abstraction' into 'master'

add a missing slash at the end of the sys rule

See merge request apparmor/apparmor!791

Acked-by: Christian Boltz <email address hidden> for 2.12..master

(cherry picked from commit 4fd7bcc28934cad3c133a86036b1ae0dfcd952c8)

b3dcd02d add a missing slash at the end of the sys rule

764349a... by Christian Boltz <email address hidden>

Merge branch 'cboltz-typo' into 'master'

Fix typo in manpage

Closes #192

See merge request apparmor/apparmor!789

Acked-by: Acked-by: Seth Arnold <email address hidden> for all branches

(cherry picked from commit 131ae8425b39e920465ab470a0ffc6301223efcf)

1459f49b Fix typo in manpage