apparmor:apparmor-2.13

Last commit made on 2022-05-23
Get this branch:
git clone -b apparmor-2.13 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.13
Repository:
lp:apparmor

Recent commits

3f4e97e... by John Johansen <email address hidden>

Merge Update for the mesa abstraction

I noticed that some apps return the following errors when launched:

```
  kernel: audit: type=1400 audit(1651244478.255:5501): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  kernel: audit: type=1400 audit(1651244478.255:5502): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Blocking the files results in the following errors when the app is executed in a terminal:

```
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
```

Since they have something to do with MESA, I think the mesa abstraction should
be updated to fix the issue.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/879
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

7e6df95... by John Johansen <email address hidden>

Merge profiles: update snap_browsers permissions

The snap_browsers abstraction requires more permissions
due to updates on snaps.

Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
    all dbus permissions,
    @{PROC}/sys/kernel/random/uuid r,
    owner @{PROC}/@{pid}/cgroup r,
    /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```

I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/877
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit bfa67b369df97ec86b532fd686c8240ecbbd9f06)
Signed-off-by: John Johansen <email address hidden>

1a3b818... by Christian Boltz

Merge Allow dovecot to use all signals

similar to commit 2f9d172c641bd21671721e76e0d65ba4bd914107
we discovered that there was a service outage
when dovecot tried to send a usr1 signal

type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 83685ba703572a119988f48b43ecae4a45b4b424)

f0919f83 Allow dovecot to use all signals

e3371f8... by Georgia Garcia

add snap-browsers profile

Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:

audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.

Bug: https://launchpad.net/bugs/1794064

Signed-off-by: Georgia Garcia <email address hidden>
(cherry picked from commit fb3283f37ebeb2a97de1846214021af1adf2260b)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/863
Signed-off-by: Georgia Garcia <email address hidden>

2d6380c... by John Johansen <email address hidden>

Merge smbd, samba-bgqd: allow reading openssl.cnf

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10

I propose this patch for 3.0 and master. (<= 2.13 don't have the samba-bgpd profile - if we want to backport to 2.x, we'll have to pick only the smbd part.)

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c10
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/862
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

backport: drop ../profiles/apparmor.d/samba-bgqd
(cherry picked from commit c3f64513f2986d799a7c9a07f853dd300728a7b5)
Signed-off-by: John Johansen <email address hidden>

5f3f4ba... by John Johansen <email address hidden>

Merge [2.x..3.0] aa-remove-unknown: abort on parser failure

If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.

Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0

Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```

After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```

And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```

(cherry picked from commit 5053a01d84ba980c20bff7bd53a49fd6101db316)

This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.

I propose this patch for 3.0 and all 2.x branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/859
Approved-by: Georgia Garcia <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit c6324c2a3efaa89bb173430785ab372c310c2ff7)
Signed-off-by: John Johansen <email address hidden>

4540cb2... by John Johansen

libapparmor: fix building with link time optimization (lto)

Currently libapparmor fails to build when lto is used because it uses
the asm directive to provide different version of some symbols.
Unfortunately gcc does not recognize this and the symbols defined by
asm are lost and optimized out by lto and then the link fails.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/214
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/831
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 7cde91f57f5991cb45f15cee1d22c4150fc36e83)
Signed-off-by: John Johansen <email address hidden>

3cdfe94... by John Johansen <email address hidden>

Merge Fix: Opening links with Chrome

Permission denied when Evince tries to use Chrome to open link.

In config is missing the bin: `/opt/google/chrome/crashpad_handler`.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/830
Acked-by: John Johansen <email address hidden>
(cherry picked from commit 08f32ac703b47788d20fb809a5c43fc5756abf7e)
Signed-off-by: John Johansen <email address hidden>

15e5b5c... by John Johansen <email address hidden>

Merge abstractions/openssl: allow /etc/ssl/{engdef,engines}.d/

These directories were introduced in openssl in https://patchwork.ozlabs<email address hidden>/

I propose this patch for 3.0 and master. Optionally also for older branches, even if it's unlikely that systems using 2.13.x or older get a new-enough openssl to need this ;-)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/818
Acked-by: John Johansen <email address hidden>
(cherry picked from commit 2b270216aa6485ed4a398e1eb57722d074ae3674)
Signed-off-by: John Johansen <email address hidden>

3da24e0... by John Johansen <email address hidden>

Merge Add missing /proc permissions to avahi-daemon profile

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/203

MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/811
Acked-by: John Johansen <email address hidden>
(cherry picked from commit ee9e61aad284f4edbebbd7cd0e8d9ac452455958)
Signed-off-by: John Johansen <email address hidden>