apparmor:apparmor-3.0

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

1881323... by Christian Boltz on 2022-06-29

Merge [3.0] Fix inconsistent return length in _run_tests()

This is a manual backport of
728dbde5e44e63ad6db0c186cc710f316478c0a9 / https://gitlab.com/apparmor/apparmor/-/merge_requests/890 by Mark Grassi

For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a70b2d0acf13e5e84399c9d5b3aabb07

2.13 and older don't have the split run_tests() and therefore don't need this patch.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/891
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Christian Boltz <email address hidden>

b9aaa63... by Christian Boltz on 2022-06-28

Fix inconsistent return length in _run_tests()

This is a manual backport of
728dbde5e44e63ad6db0c186cc710f316478c0a9 by Mark Grassi

For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a70b2d0acf13e5e84399c9d5b3aabb07

8cf3ec7... by Christian Boltz on 2022-06-06

Merge samba profiles: support paths used by Arch Linux

On Arch Linux `rpcd_classic`, `rpcd_epmapper`, `rpcd_fsrvp`, `rpcd_lsad`, `rpcd_mdssvc`, `rpcd_rpcecho`, `rpcd_spoolss`, `rpcd_winreg`, `samba-bgqd`, `samba-dcerpcd` and `smbspool_krb5_wrapper` are in `/usr/lib/samba/samba/`.

See https://archlinux.org/packages/extra/x86_64/samba/files/ and https://bugs.archlinux.org/task/74614.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/883
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 48fc233d05be0c94eac1fe304a4e16cf7dc3900e)

deadcc0d samba profiles: support paths used by Arch Linux

d4e465a... by John Johansen on 2022-04-14

parser: fix min length calculation for inverse character sets

The inverse character set lists the characters it doesn't match. If
the inverse character set contains an oob then that is NOT considered
a match. So length should be one.

However because of oobs are handle not containing an oob doesn't mean
there is a match either. Currently the only way to match an oob is
via a positive express (no inverse matches are possible).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/872
Signed-off-by: John Johansen <email address hidden>

8890dbc... by John Johansen <email address hidden> on 2022-05-23

Merge Update for the mesa abstraction

I noticed that some apps return the following errors when launched:

```
  kernel: audit: type=1400 audit(1651244478.255:5501): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  kernel: audit: type=1400 audit(1651244478.255:5502): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Blocking the files results in the following errors when the app is executed in a terminal:

```
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
```

Since they have something to do with MESA, I think the mesa abstraction should
be updated to fix the issue.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/879
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

0e7d009... by John Johansen <email address hidden> on 2022-05-23

Merge Add missing permissions for dovecot-{imap,lmtp,pop3}

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1199535

I propose this patch for 3.0 and master. (2.13 and older have more different dovecot profiles which might make backporting a bit harder.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/881
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

215b5de... by John Johansen <email address hidden> on 2022-05-23

Merge parser/capability.h: add missing <cstdint> include

Without the change apparmor build fails on this week's gcc-13 snapshot as:

    capability.h:66:6: error: variable or field '__debug_capabilities' declared void
       66 | void __debug_capabilities(uint64_t capset, const char *name);
          | ^~~~~~~~~~~~~~~~~~~~
    capability.h:66:27: error: 'uint64_t' was not declared in this scope
       66 | void __debug_capabilities(uint64_t capset, const char *name);
          | ^~~~~~~~
    capability.h:23:1: note: 'uint64_t' is defined in header '<cstdint>'; did you forget to '#include <cstdint>'?
       22 | #include <linux/capability.h>
      +++ |+#include <cstdint>
       23 |

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/882
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

59c8d43... by John Johansen on 2021-07-02

parser: move ifdefs for capabilities to single common file

Unfortunately the parser was doing ifdef checks for capabilities
in two places. Move all the capability ifdefs into capability.h

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/768
Signed-off-by: John Johansen <email address hidden>
Acked-by: Georgia Garcia <email address hidden>
Signed-off-by: John Johansen <email address hidden>

ec19c34... by Christian Boltz on 2022-05-11

Merge profiles/apparmor.d: update samba-dceprpc & samba-rpcd-* profiles

aarch64 needs some additional rules on tumbleweed to handle for
example

apparmor="DENIED" operation="file_mmap" profile="samba-dcerpcd" name="/usr/lib64/samba/samba-dcerpcd" pid=897 comm="samba-dcerpcd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

The other new rpcd_* services exhibit similar errors

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309

Signed-off-by: Noel Power <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/880
Approved-by: Christian Boltz <email address hidden> for 3.0 and master
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit ab19f5599db7900e5adfd4ef79197199729465df)

6a621616 profiles/apparmor.d: update samba-dceprpc & samba-rpcd-* profiles

df1bbdb... by John Johansen <email address hidden> on 2022-04-19

Merge Allow reading all of /etc/php[578]/** in abstractions/php

... and with that, make a rule in the php-fpm profile (which missed
php8) superfluous.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/876
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3083ce7a391db3f5b0d382e60fbdcd2735648abf)
Signed-off-by: John Johansen <email address hidden>