dcb3493...
by
John Johansen <email address hidden>
on 2024-04-22
Merge profiles: add fixes for samba from issue #386
Signed-off-by: Alex Murray <email address hidden>
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 386
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1219
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1457eada8b421b4 f39eb6e1381efec d2f3adcac7)
Signed-off-by: John Johansen <email address hidden>
8d6174e...
by
John Johansen
on 2024-04-08
Revert abi change for unix_chkpwd introduced by b69add4f2
commit
b69add4f2 Merge Allow pam_unix to execute unix_chkpwd
is a backport of a fix but that fix also updated the abi and that change
was unfortunately not dropped when it should have been.
Signed-off-by: John Johansen <email address hidden>
d18bc59...
by
John Johansen <email address hidden>
on 2024-04-03
Merge Move pam-related permissions to abstractions/ authentication
... instead of keeping them in the smbd profile.
For details, see c09f58a36459460 7cdf5703d6e11ae c14ade3ea8 and
https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1220032# c12
Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered.
Fixes: https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1220032# c12
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1191
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit f33488478753d2f 4138150cfc69b9d 120a7e7f25)
Signed-off-by: John Johansen <email address hidden>
b69add4...
by
John Johansen <email address hidden>
on 2024-03-14
Merge Allow pam_unix to execute unix_chkpwd
Latest pam_unix always runs /usr/sbin/ unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/ authentication.
It also needs to read /proc/@ {pid}/loginuid
Also cleanup the now-superfluous rules from the smbd profile.
Fixes: https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1219139
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1181
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 9a1838016c18aea 24fde26858311b4 8b2fd8f3d6)
Signed-off-by: John Johansen <email address hidden>
7e04655...
by
John Johansen <email address hidden>
on 2024-03-12
Merge abstractions/ crypto: allow read of more common crypto configuration files
Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.
This adds the paths usually used by gnutls and openssl to improve these kind of use cases.
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/2056739
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ chrony/ +bug/2056747
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1178
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3d1dedfa7e75ff6 7ec9282d1c7c42d db53422595)
Signed-off-by: John Johansen <email address hidden>
e575889...
by
John Johansen <email address hidden>
on 2024-04-03
Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS}
# abstractions/samba: allow /etc/gnutls/config
Various samba components want to read it. Without it, shares cannot be accessed.
apparmor= "DENIED" operation="open" class="file" profile="nmbd" name="/ etc/gnutls/ config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile="smbd" name="/ etc/gnutls/ config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24036 comm="rpcd_ epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-spoolss" name="/ etc/gnutls/ config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-classic" name="/ etc/gnutls/ config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
# profiles/ apparmor. d/samba- rpcd-classic: allow @{HOMEDIRS}
Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-classic" name="/ home/user/ path/to/ usershare/ " pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 379
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1200
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 5998a0021a4f752 7fe0b64771e5b9e fe71267d8e)
Signed-off-by: John Johansen <email address hidden>
ff6489b...
by
John Johansen <email address hidden>
on 2024-04-03
Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04
Testing on noble turned these up:
`2024-03- 27T00:10: 28.929314- 04:00 image-ubuntu64 kernel: audit: type=1400 audit(171151262 8.920:155) : apparmor="DENIED" operation="bind" class="net" profile= "/usr/sbin/ sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_ mask="bind" denied_mask="bind" addr="@ 63cf34db7fbab75 f/bus/sshd/ system" `
`2024-03- 27T00:41: 09.791826- 04:00 image-ubuntu64 kernel: audit: type=1107 audit(171151446 9.771:333907) : pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor= "DENIED" operation= "dbus_method_ call" bus="system" path="/ org/freedesktop /login1" interface= "org.freedeskto p.login1. Manager" member= "CreateSessionW ithPIDFD" mask="send" name="org. freedesktop. login1" pid=4528 label=" /usr/sbin/ sshd" peer_pid=688 peer_label= "unconfined" `
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ apparmor/ +bug/2060100
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1196
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3aa40249cf153c1 7be5ad9d20a7736 5915397000)
Signed-off-by: John Johansen <email address hidden>
0b5a270...
by
Georgia Garcia
on 2024-03-12
Merge Fix test-aa-notify on openSUSE Tumbleweed (new 'last')
The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the
`-1` option.
Remove it, and cut off the output manually.
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1180
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Georgia Garcia <email address hidden>
(cherry picked from commit ae978c19530e949 e4fe6b69588d629 5d039ee095)
d19db55a Fix test-aa-notify on openSUSE Tumbleweed (new 'last')
70ade00...
by
John Johansen <email address hidden>
on 2024-03-06
Merge utils: fix aa-notify last login test - apparmor 3.0 cherry-pick
Opened MR due to conflicts when cherry-picking commit 105b5050.
I decided to not change the method of temporary file creation.
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1162
Merged-by: John Johansen <email address hidden>
7fc875a...
by
Georgia Garcia
on 2024-02-21
utils: fix aa-notify last login test
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https:/ /bugs.launchpad .net/bugs/ 1939022
Signed-off-by: Georgia Garcia <email address hidden>
(cherry picked from commit 105b50502b085d5 ffcd3b2e0e0cdf2 d76881a3f9)
Signed-off-by: Georgia Garcia <email address hidden>