apparmor:apparmor-3.0

Last commit made on 2022-06-29
Get this branch:
git clone -b apparmor-3.0 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-3.0
Repository:
lp:apparmor

Recent commits

1881323... by Christian Boltz

Merge [3.0] Fix inconsistent return length in _run_tests()

This is a manual backport of
728dbde5e44e63ad6db0c186cc710f316478c0a9 / https://gitlab.com/apparmor/apparmor/-/merge_requests/890 by Mark Grassi

For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a70b2d0acf13e5e84399c9d5b3aabb07

2.13 and older don't have the split run_tests() and therefore don't need this patch.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/891
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Christian Boltz <email address hidden>

b9aaa63... by Christian Boltz

Fix inconsistent return length in _run_tests()

This is a manual backport of
728dbde5e44e63ad6db0c186cc710f316478c0a9 by Mark Grassi

For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a70b2d0acf13e5e84399c9d5b3aabb07

8cf3ec7... by Christian Boltz

Merge samba profiles: support paths used by Arch Linux

On Arch Linux `rpcd_classic`, `rpcd_epmapper`, `rpcd_fsrvp`, `rpcd_lsad`, `rpcd_mdssvc`, `rpcd_rpcecho`, `rpcd_spoolss`, `rpcd_winreg`, `samba-bgqd`, `samba-dcerpcd` and `smbspool_krb5_wrapper` are in `/usr/lib/samba/samba/`.

See https://archlinux.org/packages/extra/x86_64/samba/files/ and https://bugs.archlinux.org/task/74614.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/883
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 48fc233d05be0c94eac1fe304a4e16cf7dc3900e)

deadcc0d samba profiles: support paths used by Arch Linux

d4e465a... by John Johansen

parser: fix min length calculation for inverse character sets

The inverse character set lists the characters it doesn't match. If
the inverse character set contains an oob then that is NOT considered
a match. So length should be one.

However because of oobs are handle not containing an oob doesn't mean
there is a match either. Currently the only way to match an oob is
via a positive express (no inverse matches are possible).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/872
Signed-off-by: John Johansen <email address hidden>

8890dbc... by John Johansen <email address hidden>

Merge Update for the mesa abstraction

I noticed that some apps return the following errors when launched:

```
  kernel: audit: type=1400 audit(1651244478.255:5501): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  kernel: audit: type=1400 audit(1651244478.255:5502): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Blocking the files results in the following errors when the app is executed in a terminal:

```
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
```

Since they have something to do with MESA, I think the mesa abstraction should
be updated to fix the issue.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/879
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

0e7d009... by John Johansen <email address hidden>

Merge Add missing permissions for dovecot-{imap,lmtp,pop3}

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1199535

I propose this patch for 3.0 and master. (2.13 and older have more different dovecot profiles which might make backporting a bit harder.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/881
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

215b5de... by John Johansen <email address hidden>

Merge parser/capability.h: add missing <cstdint> include

Without the change apparmor build fails on this week's gcc-13 snapshot as:

    capability.h:66:6: error: variable or field '__debug_capabilities' declared void
       66 | void __debug_capabilities(uint64_t capset, const char *name);
          | ^~~~~~~~~~~~~~~~~~~~
    capability.h:66:27: error: 'uint64_t' was not declared in this scope
       66 | void __debug_capabilities(uint64_t capset, const char *name);
          | ^~~~~~~~
    capability.h:23:1: note: 'uint64_t' is defined in header '<cstdint>'; did you forget to '#include <cstdint>'?
       22 | #include <linux/capability.h>
      +++ |+#include <cstdint>
       23 |

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/882
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
Signed-off-by: John Johansen <email address hidden>

59c8d43... by John Johansen

parser: move ifdefs for capabilities to single common file

Unfortunately the parser was doing ifdef checks for capabilities
in two places. Move all the capability ifdefs into capability.h

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/768
Signed-off-by: John Johansen <email address hidden>
Acked-by: Georgia Garcia <email address hidden>
Signed-off-by: John Johansen <email address hidden>

ec19c34... by Christian Boltz

Merge profiles/apparmor.d: update samba-dceprpc & samba-rpcd-* profiles

aarch64 needs some additional rules on tumbleweed to handle for
example

apparmor="DENIED" operation="file_mmap" profile="samba-dcerpcd" name="/usr/lib64/samba/samba-dcerpcd" pid=897 comm="samba-dcerpcd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

The other new rpcd_* services exhibit similar errors

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309

Signed-off-by: Noel Power <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/880
Approved-by: Christian Boltz <email address hidden> for 3.0 and master
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit ab19f5599db7900e5adfd4ef79197199729465df)

6a621616 profiles/apparmor.d: update samba-dceprpc & samba-rpcd-* profiles

df1bbdb... by John Johansen <email address hidden>

Merge Allow reading all of /etc/php[578]/** in abstractions/php

... and with that, make a rule in the php-fpm profile (which missed
php8) superfluous.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/876
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3083ce7a391db3f5b0d382e60fbdcd2735648abf)
Signed-off-by: John Johansen <email address hidden>