apparmor:apparmor-2.13

Last commit made on 2021-03-31
Get this branch:
git clone -b apparmor-2.13 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.13
Repository:
lp:apparmor

Recent commits

14ed051... by John Johansen on 2021-03-29

profiles: dhclient: allow setting task comm name

dhclient wants to set its thread names to functional names for
introspection purposes. Eg.

$ pstree -at 3395
dhclient ens3
  ├─{isc-socket}
  ├─{isc-timer}
  └─{isc-worker0000}

When denied this can result in dhclient breaking and failing to obtain
IPv4 addresses.

Fixes: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410
Signed-off-by: John Johansen <email address hidden>
Acked-by: Christian Boltz <email address hidden>
(cherry picked from commit c7348395518890793b2f4bf7c13bbe5a0319962d)
Signed-off-by: John Johansen <email address hidden>

8e04e39... by John Johansen <email address hidden> on 2021-03-20

Merge look up python-config using AC_PATH_TOOL

Doing so adds the $ac_tool_prefix during cross compilation and will end up using the correct, architecture-dependent python-config.

This is the second and last upstreamable change from https://bugs.debian.org/984582. It looks a little simpler here, because apparmor evolved upstream compared to the Debian version. Fortunately, it got a lot simpler in the process.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/729
Acked-by: John Johansen <email address hidden>
(debian version of commit c32c970d00b9ad8af4b471d3a1873db614a4afa8)
Signed-off-by: John Johansen <email address hidden>

552ee5d... by John Johansen <email address hidden> on 2021-03-20

Merge Do not abuse AC_CHECK_FILE

AC_CHECK_FILE is meant to check for host files and therefore fails hard during cross compilation unless one supplies a cached check result. Here we want to know about the presence of a build system file though, so AC_CHECK_FILE is the wrong tool.

This is part of https://bugs.debian.org/984582.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/728
Acked-by: John Johansen <email address hidden>
(cherry picked from commit f17143b5c302d429929e6793cba65176a63c0c0d)
Signed-off-by: John Johansen <email address hidden>

c8e5721... by John Johansen on 2021-03-15

profiles: dhcpd: add rule for port_range

The following AppArmor denial errors are shown on startup:

Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400 audit(1603601520.710:32): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400 audit(1603601520.710:33): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fixes: https://bugs.launchpad.net/bugs/1901373
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/726
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 277677daf32aff1f629eee965fdc6ff022434ca2)
Signed-off-by: John Johansen <email address hidden>

44e6f90... by John Johansen on 2021-03-14

parser: fix filter slashes for link targets

The parser is failing to properly filter the slashes in the link name
after variable expansion. Causing match failures when multiple slashes
occur.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/153
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/723
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 2852e1ecdf9e7bd754e75e0c9adfaeadeea48a67)
Signed-off-by: John Johansen <email address hidden>

dd03484... by Mikhail Morfikov on 2021-03-14

abstractions: Add missing rule in wutmp abstraction

Currently the wutmp abstraction has the following rules:
  /var/log/lastlog rwk,
  /var/log/wtmp wk,
  @{run}/utmp rwk,

According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule? The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit d4e0a9451154cf96634f76a40f5e462ee595d01d)
Signed-off-by: John Johansen <email address hidden>

00396b8... by John Johansen on 2021-03-14

parser: fix backport of MR700

The backport of
  855dbd4a parser: fix rule downgrade for unix rules

using the rule_t::warn_once which doesn't exist in the 2.x parser
series. Switch this the the static function warn_once.

Fixes: 3d85e123 parser: fix rule downgrade for unix rules
Signed-off-by: John Johansen <email address hidden>

3d85e12... by John Johansen on 2021-01-14

parser: fix rule downgrade for unix rules

Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.

  Eg. On a kernel that doesn't support fine grained af_unix mediation
      but does support network mediation.

        unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

      will be downgraded to

        network unix type=stream,

Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.

  Eg.
        deny unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

      will be downgraded to

        deny network unix type=stream,

and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.

To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/700
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 855dbd4ac8ddb253343d6a81e094030c28233888)
Signed-off-by: John Johansen <email address hidden>

4c8ac78... by Rose Kunkel <email address hidden> on 2021-01-18

Fix nscd conflict with systemd-homed

My main user account is managed by systemd-homed. When I enable
AppArmor and have nscd running, I get inconsistent behavior with my
user account - sometimes I can't log in, sometimes I can log in but
not use sudo, etc.

This is the output of getent passwd:
  $ getent passwd
  root:x:0:0::/root:/usr/bin/zsh
  bin:x:1:1::/:/sbin/nologin
  daemon:x:2:2::/:/sbin/nologin
  mail:x:8:12::/var/spool/mail:/sbin/nologin
  ftp:x:14:11::/srv/ftp:/sbin/nologin
  http:x:33:33::/srv/http:/sbin/nologin
  nobody:x:65534:65534:Nobody:/:/sbin/nologin
  dbus:x:81:81:System Message Bus:/:/sbin/nologin
  [...]
  rose:x:1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh

But getent passwd rose and getent passwd 1000 both return no output.
Stopping nscd.service fixes these problems. Checking the apparmor
logs, I noticed that nscd was denied access to
/etc/machine-id. Allowing access to that file seems to have fixed the
issue.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/707
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/145
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit ee5303c8a056937e524ac47dcbbff02961c48265)
Signed-off-by: John Johansen <email address hidden>

17032f2... by Seth Arnold on 2020-11-15

profiles: firefox Add support for widevine DRM

Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:

Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert
...

Fixes: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1777070
Reported-by: Xav Paice <email address hidden>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/684
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 656f2103ed70387d2643ff83d510960dfd959e7f)
Signed-off-by: John Johansen <email address hidden>