apparmor:apparmor-3.0

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

dcb3493... by John Johansen <email address hidden> on 2024-04-22

Merge profiles: add fixes for samba from issue #386

Signed-off-by: Alex Murray <email address hidden>

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/386
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1219
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1457eada8b421b4f39eb6e1381efecd2f3adcac7)
Signed-off-by: John Johansen <email address hidden>

8d6174e... by John Johansen on 2024-04-08

Revert abi change for unix_chkpwd introduced by b69add4f2

commit
  b69add4f2 Merge Allow pam_unix to execute unix_chkpwd
is a backport of a fix but that fix also updated the abi and that change
was unfortunately not dropped when it should have been.

Signed-off-by: John Johansen <email address hidden>

d18bc59... by John Johansen <email address hidden> on 2024-04-03

Merge Move pam-related permissions to abstractions/authentication

... instead of keeping them in the smbd profile.

For details, see c09f58a364594607cdf5703d6e11aec14ade3ea8 and
https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12

Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1191
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit f33488478753d2f4138150cfc69b9d120a7e7f25)
Signed-off-by: John Johansen <email address hidden>

b69add4... by John Johansen <email address hidden> on 2024-03-14

Merge Allow pam_unix to execute unix_chkpwd

Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.

It also needs to read /proc/@{pid}/loginuid

Also cleanup the now-superfluous rules from the smbd profile.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1181
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 9a1838016c18aea24fde26858311b48b2fd8f3d6)
Signed-off-by: John Johansen <email address hidden>

7e04655... by John Johansen <email address hidden> on 2024-03-12

Merge abstractions/crypto: allow read of more common crypto configuration files

Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.

This adds the paths usually used by gnutls and openssl to improve these kind of use cases.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2056739
Fixes: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2056747
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1178
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3d1dedfa7e75ff67ec9282d1c7c42ddb53422595)
Signed-off-by: John Johansen <email address hidden>

e575889... by John Johansen <email address hidden> on 2024-04-03

Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS}

# abstractions/samba: allow /etc/gnutls/config

Various samba components want to read it. Without it, shares cannot be accessed.

    apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24036 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

# profiles/apparmor.d/samba-rpcd-classic: allow @{HOMEDIRS}

Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.

    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/home/user/path/to/usershare/" pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/379
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1200
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 5998a0021a4f7527fe0b64771e5b9efe71267d8e)
Signed-off-by: John Johansen <email address hidden>

ff6489b... by John Johansen <email address hidden> on 2024-04-03

Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04

Testing on noble turned these up:

`2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system"`

`2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined"`

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1196
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3aa40249cf153c17be5ad9d20a77365915397000)
Signed-off-by: John Johansen <email address hidden>

0b5a270... by Georgia Garcia on 2024-03-12

Merge Fix test-aa-notify on openSUSE Tumbleweed (new 'last')

The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the
`-1` option.

Remove it, and cut off the output manually.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1180
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Georgia Garcia <email address hidden>

(cherry picked from commit ae978c19530e949e4fe6b69588d6295d039ee095)

d19db55a Fix test-aa-notify on openSUSE Tumbleweed (new 'last')

70ade00... by John Johansen <email address hidden> on 2024-03-06

Merge utils: fix aa-notify last login test - apparmor 3.0 cherry-pick

Opened MR due to conflicts when cherry-picking commit 105b5050.

I decided to not change the method of temporary file creation.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1162
Merged-by: John Johansen <email address hidden>

7fc875a... by Georgia Garcia on 2024-02-21

utils: fix aa-notify last login test

The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.

Update the test to check for the last login date and update the test
logs considering that value.

Fixes: https://bugs.launchpad.net/bugs/1939022

Signed-off-by: Georgia Garcia <email address hidden>
(cherry picked from commit 105b50502b085d5ffcd3b2e0e0cdf2d76881a3f9)
Signed-off-by: Georgia Garcia <email address hidden>