apparmor:apparmor-3.0

Last commit made on 2020-11-30
Get this branch:
git clone -b apparmor-3.0 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-3.0
Repository:
lp:apparmor

Recent commits

900b595... by John Johansen on 2020-11-28

aa-notify: don't crash if the logfile is not present due to rotation

If aa-notify races file rotation it may crash with a trace back to
the log file being removed before the new one is moved into place.

    Traceback (most recent call last):
       File "/usr/sbin/aa-notify", line 570, in <module>
         main()
       File "/usr/sbin/aa-notify", line 533, in main
          for message in notify_about_new_entries(logfile, args.wait):
       File "/usr/sbin/aa-notify", line 145, in notify_about_new_entries
         for event in follow_apparmor_events(logfile, wait):
       File "/usr/sbin/aa-notify", line 236, in follow_apparmor_events
         if os.stat(logfile).st_ino != log_inode:
    FileNotFoundError: [Errno 2] No such file or directory: '/var/log/audit/audit.log'

If we hit this situation sleep and then retry opening the logfile.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/130
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/688
Signed-off-by: John Johansen <email address hidden>
Acked-by: Christian Boltz <email address hidden>
(cherry picked from commit 7c88f02d6a2a367b3ac6b84366d07b9d6de1869d)

4992a6a... by Christian Boltz on 2020-11-08

create_new_profile(): check if abstractions exist

... instead of blindly adding them to the profile, and later crash
(and/or cause parser errors) because they don't exist.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/683
(cherry picked from commit dfd7c245cda09acb8f6eadb943b325b863cb11a8)
Signed-off-by: John Johansen <email address hidden>

dd7f181... by Christian Boltz on 2020-11-08

aa-autodep: load abstractions on start

So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.

Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'

Prevent this crash by explicitely loading the abstractions on start.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682
(cherry picked from commit f6b3de71161f9acfa177e879017560000b7ffde8)
Signed-off-by: John Johansen <email address hidden>

ec93821... by Christian Boltz on 2020-11-16

abstractions/X: Allow (only) reading X compose cache

... (/var/cache/libx11/compose/*), and deny any write attempts

Reported by darix,
https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685
(cherry picked from commit 78bd811e2a23f55974991cd208f6a17749655c21)
Signed-off-by: John Johansen <email address hidden>

7497ff4... by John Johansen <email address hidden> on 2020-11-01

Merge Fix invalid Pux (should be PUx) permissions in dhclient-script

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/676
Acked-by: John Johansen <email address hidden>
(cherry picked from commit c29357a294ed31bbb436ada091fff1e31599b36e)
Signed-off-by: John Johansen <email address hidden>

c4150a1... by John Johansen <email address hidden> on 2020-11-01

Merge Fix hotkey conflict in utils de.po and id.po

This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations.

Also fix conflicting hotkeys in utils de.po, id.po and sv.po.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/675
Acked-by: John Johansen <email address hidden>
(cherry picked from commit e57174589cd5049a8bdcd905666db1ce64904f71)
Signed-off-by: John Johansen <email address hidden>

cd46444... by Vincas Dargis on 2020-10-25

dovecot: allow reading dh.pem

Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```

This results in fatal error:

```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```

Add rule to allow reading dh.pem.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe3f54681bb8ba5d47b6fc43e4f4a034)
Signed-off-by: John Johansen <email address hidden>

ba23532... by Vincas Dargis on 2020-10-25

dovecot: allow kill signal

Dovecot might try to kill related processes:

```
type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/auth"

type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3"

type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED"
operation="signal" profile="dovecot" pid=31632 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3-login"
```
This discovered on low-power high-load machine (last resort timeout
handling?).

Update signal rule to allow SIGKILL.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 2f9d172c641bd21671721e76e0d65ba4bd914107)
Signed-off-by: John Johansen <email address hidden>

11d1f38... by intrigeri on 2020-10-25

Fix typos

Spotted by Lintian.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/669
(cherry picked from commit d6e18b0db8a93e527acaff20eefa4b1a8609cbc9)
Signed-off-by: John Johansen <email address hidden>

51144b5... by intrigeri on 2020-10-25

apparmor_xattrs.7: fix whatis entry

Spotted by Lintian (bad-whatis-entry).

(cherry picked from commit 0da70b173ca32dd066d0d8fef6f9984112e6ec53)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/669
Signed-off-by: John Johansen <email address hidden>