apparmor:apparmor-3.0

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

4ee00aa... by John Johansen on 2021-03-29

profiles: dhclient: allow setting task comm name

dhclient wants to set its thread names to functional names for
introspection purposes. Eg.

$ pstree -at 3395
dhclient ens3
  ├─{isc-socket}
  ├─{isc-timer}
  └─{isc-worker0000}

When denied this can result in dhclient breaking and failing to obtain
IPv4 addresses.

Fixes: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410
Signed-off-by: John Johansen <email address hidden>
Acked-by: Christian Boltz <email address hidden>
(cherry picked from commit c7348395518890793b2f4bf7c13bbe5a0319962d)
Signed-off-by: John Johansen <email address hidden>

55da3a1... by John Johansen <email address hidden> on 2021-03-20

Merge look up python-config using AC_PATH_TOOL

Doing so adds the $ac_tool_prefix during cross compilation and will end up using the correct, architecture-dependent python-config.

This is the second and last upstreamable change from https://bugs.debian.org/984582. It looks a little simpler here, because apparmor evolved upstream compared to the Debian version. Fortunately, it got a lot simpler in the process.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/729
Acked-by: John Johansen <email address hidden>
(cherry picked from commit c32c970d00b9ad8af4b471d3a1873db614a4afa8)
Signed-off-by: John Johansen <email address hidden>

e58742c... by John Johansen <email address hidden> on 2021-03-20

Merge Do not abuse AC_CHECK_FILE

AC_CHECK_FILE is meant to check for host files and therefore fails hard during cross compilation unless one supplies a cached check result. Here we want to know about the presence of a build system file though, so AC_CHECK_FILE is the wrong tool.

This is part of https://bugs.debian.org/984582.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/728
Acked-by: John Johansen <email address hidden>
(cherry picked from commit f17143b5c302d429929e6793cba65176a63c0c0d)
Signed-off-by: John Johansen <email address hidden>

7f84e8b... by John Johansen on 2021-03-15

profiles: dhcpd: add rule for port_range

The following AppArmor denial errors are shown on startup:

Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400 audit(1603601520.710:32): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400 audit(1603601520.710:33): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fixes: https://bugs.launchpad.net/bugs/1901373
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/726
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 277677daf32aff1f629eee965fdc6ff022434ca2)
Signed-off-by: John Johansen <email address hidden>

8b939b8... by John Johansen on 2021-03-14

parser: fix filter slashes for link targets

The parser is failing to properly filter the slashes in the link name
after variable expansion. Causing match failures when multiple slashes
occur.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/153
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/723
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 2852e1ecdf9e7bd754e75e0c9adfaeadeea48a67)
Signed-off-by: John Johansen <email address hidden>

4c6f835... by Mikhail Morfikov on 2021-03-14

abstractions: Add missing rule in wutmp abstraction

Currently the wutmp abstraction has the following rules:
  /var/log/lastlog rwk,
  /var/log/wtmp wk,
  @{run}/utmp rwk,

According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule? The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit d4e0a9451154cf96634f76a40f5e462ee595d01d)
Signed-off-by: John Johansen <email address hidden>

f79ea04... by John Johansen on 2021-02-11

libapparmor: alphasort directory traversals

Directory traversal does not have a guaranteed walk order which can
cause ordering problems on profile loads when explicit dependencies
are missing.

Combined with MR:703 this provides a userspace work around for issue
147.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/147
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/706
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit fe477af62a90a7ce80191708a5ecb419c33d4042)
Signed-off-by: John Johansen <email address hidden>

4983fda... by John Johansen on 2021-01-14

parser: fix rule downgrade for unix rules

Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.

  Eg. On a kernel that doesn't support fine grained af_unix mediation
      but does support network mediation.

        unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

      will be downgraded to

        network unix type=stream,

Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.

  Eg.
        deny unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

      will be downgraded to

        deny network unix type=stream,

and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.

To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/700
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 855dbd4ac8ddb253343d6a81e094030c28233888)
Signed-off-by: John Johansen <email address hidden>

3db5d76... by Christian Boltz on 2021-03-07

postfix-flush and -showq: add permissions needed with latest postfix

... as seen on openSUSE Tumbleweed

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/717
(cherry picked from commit 08719eebc1b2513d2c59dc8426c0525f10256b86)
Signed-off-by: John Johansen <email address hidden>

1cd34e5... by Christian Boltz on 2021-03-07

postfix: allow access to *.lmdb files

... in addition to *.db files.

openSUSE Tumbleweed now uses the lmdb format by default.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/717
(cherry picked from commit a07f30e25d55de40232b3203838d035dbf1935b4)
Signed-off-by: John Johansen <email address hidden>