apparmor:apparmor-2.13

Last commit made on 2024-10-21
Get this branch:
git clone -b apparmor-2.13 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.13
Repository:
lp:apparmor

Recent commits

9272bf7... by Christian Boltz

Merge [2.13 cherry-pick] Merge utils: catch TypeError exception for binary logs

When a log like system.journal is passed on to aa-genprof, for
example, the user receives a TypeError exception: in method
'parse_record', argument 1 of type 'char *'

This patch catches that exception and displays a more meaningful
message.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/436
Signed-off-by: Georgia Garcia <email address hidden>

Closes #436
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1354
Approved-by: Christian Boltz <email address hidden>
Merged-by: John Johansen <email address hidden>

(cherry picked from commit cb0f84e1014e0c002735381f09a929ef4dff892c)
Signed-off-by: Georgia Garcia <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1391
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

506c98e... by John Johansen <email address hidden>

Merge utils: catch TypeError exception for binary logs

When a log like system.journal is passed on to aa-genprof, for
example, the user receives a TypeError exception: in method
'parse_record', argument 1 of type 'char *'

This patch catches that exception and displays a more meaningful
message.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/436
Signed-off-by: Georgia Garcia <email address hidden>

Closes #436
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1354
Approved-by: Christian Boltz <email address hidden>
Merged-by: John Johansen <email address hidden>

(cherry picked from commit cb0f84e1014e0c002735381f09a929ef4dff892c)
Signed-off-by: Georgia Garcia <email address hidden>

d3a6965... by Georgia Garcia

libapparmor: make af_protos.h consistent in different archs

af_protos.h is a generated table of the protocols created by looking
for definitions of IPPROTO_* in netinet/in.h. Depending on the
architecture, the order of the table may change when using -dM in the
compiler during the extraction of the defines.

This causes an issue because there is more than one IPPROTO defined
by the value 0: IPPROTO_IP and IPPROTO_HOPOPTS which is a header
extension used by IPv6. So if IPPROTO_HOPOPTS was first in the table,
then protocol=0 in the audit logs would be translated to hopopts.

This caused a failure in arm 32bit:

Output doesn't match expected data:
--- ./test_multi/testcase_unix_01.out 2024-08-15 01:47:53.000000000 +0000
+++ ./test_multi/out/testcase_unix_01.out 2024-08-15 23:42:10.187416392 +0000
@@ -12,7 +12,7 @@
 Peer Addr: @test_abstract_socket
 Network family: unix
 Socket type: stream
-Protocol: ip
+Protocol: hopopts
 Class: net
 Epoch: 1711454639
 Audit subid: 322

By the time protocol is resolved in grammar.y, we don't have have
access to the net family to check if it's inet6. Instead of making
protocol dependent on the net family, make the order of the
af_protos.h table consistent between architectures using -dD.

Signed-off-by: Georgia Garcia <email address hidden>
(cherry picked from commit 95c419dc45aa777196a613d41ea72ebca3a679ac)
Signed-off-by: Georgia Garcia <email address hidden>

811fe99... by John Johansen <email address hidden>

Merge abstractions/base: allow reading of fips_enabled

Commonly used by applications to determine if Linux is running in
FIPS mode. As we already allow access to FIPS specific library files
as part of base, allow this there as well.

Signed-off-by: Georg Pfuetzenreuter <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1286
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit e787f4d69d7d579c702b2c4daeb6cc591ac4e059)
Signed-off-by: John Johansen <email address hidden>

804c854... by Ryan Lee

Fix SWIG prototype declaration of aa_getpeercon_raw

Unsigned int vs int probably wouldn't have caused issues, but just in case

Signed-off-by: Ryan Lee <email address hidden>
(cherry picked from commit 91bac34afde765dfc7a0e9fd721940babe5656fd)
Signed-off-by: Georgia Garcia <email address hidden>

55d8c58... by Ryan Lee

Explicitly initialize component in test_walk_one

This removes the assumption that the stack is zeroed and silences the corresponding compiler warning

Signed-off-by: Ryan Lee <email address hidden>
(cherry picked from commit 552d9d9f7a66b01d8287dcf19e3fd5eeb671127f)
Signed-off-by: Georgia Garcia <email address hidden>

0824954... by John Johansen <email address hidden>

Merge parser: fix Normalizatin infinite loop

Expression simplification can get into an infinite loop due to eps
pairs hiding behind and alternation that can't be caught by
normalize_eps() (which exists in the first place to stop a similar
loop).

The loop in question happens in AltNode::normalize when a subtree has
the following structure.

1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  / \
                 / \
               eps alt
                      /\
                     / \
                    / \
                  alt eps
                  /\
                 / \
                / \
               eps eps

2. if (normalize_eps(dir)) results in

                   alt
                   /\
                  / \
                 / \
               alt eps
               /\
              / \
             / \
           alt eps
           /\
          / \
         / \
       eps eps

3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  / \
                 / \
               alt alt
              /\ /\
             / \ / \
            / \ / \
          eps eps eps eps

4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  / \
                 / \
               eps alt
                      /\
                     / \
                    / \
                  eps alt
                         /\
                        / \
                       / \
                     eps eps

5. if (normalize_eps(dir)) results in

                  alt
                   /\
                  / \
                 / \
                alt eps
                /\
               / \
              / \
            eps alt
                    /\
                   / \
                  / \
                 eps eps

6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                  alt
                   /\
                  / \
                 / \
                eps alt
                       /\
                      / \
                     / \
                    alt eps
                    /\
                   / \
                  / \
                eps eps

back to beginning of cycle

Fix this by detecting the creation of an eps_pair in rotate_node(),
that pair can be immediately eliminated by simplifying the tree in that
step.

In the above cycle the pair creation is caught at step 3 resulting
in

3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  / \
                 / \
               alt eps
               /\
              / \
             / \
           eps eps

4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  / \
                 / \
               eps alt
                      /\
                     / \
                    / \
                  eps eps

which gets reduced to

                   alt
                   /\
                  / \
                 / \
               eps eps

breaking the normalization loop. The degenerate alt node will be caught
in turn when its parent is dealt with.

This needs to be backported to all releases

Closes: https://gitlab.com/apparmor/apparmor/-/issues/398
Fixes: 846cee506 ("Split out parsing and expression trees from regexp.y")
Reported-by: Christian Boltz <email address hidden>
Signed-off-by: John Johansen <email address hidden>

Closes #398
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1252
Approved-by: Georgia Garcia <email address hidden>
Merged-by: John Johansen <email address hidden>

(cherry picked from commit a6691ca53e77263edb7281df3d4d008022812745)
Signed-off-by: John Johansen <email address hidden>

023335d... by John Johansen <email address hidden>

Merge gitlab-ci.yml: set fixed version on pipeline for 2.13

In order to maintain compatibility with Python 2 in AppArmor 2.13, set
the pipeline to use a version of ubuntu which supports Python 2.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1225
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

18effc5... by Georgia Garcia

gitlab-ci.yml: set fixed version on pipeline for 2.13

In order to maintain compatibility with Python 2 in AppArmor 2.13, set
the pipeline to use a version of ubuntu which supports Python 2.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <email address hidden>

48bc355... by Christian Boltz

Merge abstractions/openssl: allow version specific engdef & engines paths

Some openssl distributions use version specific engdef and engines paths
to support multi-version installations.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571

Signed-off-by: David Disseldorp <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1147
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 2577fbf0770784e531f9210856208a774ae92af0)

2b8cf1be abstractions/openssl: allow version specific engdef & engines paths