lp:~talkless/apparmor/fix_traceroute_tcp

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:apparmor/2.12 at revision 3690

Steve Beattie: Approve on 2017-08-09

intrigeri: Approve on 2017-07-20

Diff: 19 lines (+2/-0)

1 file modified

profiles/apparmor.d/usr.sbin.traceroute (+2/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

3663. By Vincas Dargis on 2017-07-03

fix traceroute denies in tcp mode

3662. By Christian Boltz on 2017-06-06

More strict profile_storage()

This patch makes the profile_storage() data structure more strict. It
- initializes everything inside a profile with proper values
- makes the profile storage a dict() instead of a hasher(), which means
  it will complain loudly when trying to access non-existing elements
  (hasher() was more forgiving, but this also meant hiding bugs)

The patch also fixes a minor issue related to the more strict 'repo'
profile property in serialize_profile().

Acked-by: Seth Arnold <email address hidden>

3661. By Christian Boltz on 2017-05-19

Ignore ptrace log events without denied_mask

This fixes a crash in the tools.

Reported by peetaur on IRC.

Acked-by: John Johansen <email address hidden> for trunk and 2.11.

3660. By Christian Boltz on 2017-05-19

Add two parser files to .bzrignore

- parser/libapparmor_re/parse.cc is autogenerated during build
- parser/tst_lib gets compiled during "make check"

Both files get deleted by make clean.

Acked-by: John Johansen <email address hidden> for trunk and 2.11.

3659. By Christian Boltz on 2017-05-19

Fix aa-logprof crash on ptrace garbage log events

(garbage) ptrace events like
    ... apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""
cause an empty name2 field, which leads to a crash in the tools.

This patch lets logparser.py ignore such garbage log events, which also
avoids the crash.

As usual, add some testcases.

test-libapparmor-test_multi.py needs some special handling to ignore the
empty name2 field in one of the testcases.

References: https://bugs.launchpad.net/apparmor/+bug/1689667

Acked-by: Seth Arnold <email address hidden> for trunk and 2.11.

Older releases can't handle ptrace log events and therefore can't crash ;-)

3658. By Jamie Strandboge on 2017-05-04

Update base abstraction for additional journald sockets

The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
  (see systemd-cat(1)).

In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.

Signed-off-by: Jamie Strandboge <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3657. By Tyler Hicks on 2017-04-20

libapparmor: Don't print shell commands that check for test failures

Error messages should only show up in build logs when the error has been
encountered. This patch silences these shell commands from being printed
before they're interpreted.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>
Acked-by: Christian Boltz <email address hidden>

3656. By Tyler Hicks on 2017-04-20

libapparmor: Fix parallel make dependency issue in testsuite

A multi job `make check` command could fail due to check-local running
before the check-DEJAGNU target, which is automatically generated by
automake, would complete. This would result in a build failure due to
libaalogparse.log not yet existing.

Fix the issue by depending on the check-DEJAGNU target.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>

3655. By Christian Boltz on 2017-04-20

Ignore test failures about duplicated conditionals in dbus rules

Since r3634, the tools allow any order of dbus conditionals.

Quoting the r3634 patch description:

  This patch eases the restriction on the ordering at the expense of the
  utils no longer being able to detect and reject a single attribute that
  is repeated multiple times. In that situation, only the last occurrence
  of the attribute will be honored by the utils.

It seems nobody tested with all test profiles generated ;-) so we have to
add some exceptions to the "does not raise an exception" list now.

Acked-by <timeout> for trunk and 2.11

3654. By Steve Beattie on 2017-04-14

profiles: abstractions/base - Allow sysconf(_SC_NPROCESSORS_CONF)

Merge Simon McVittie's patch to allow querying the number of configured
processors in the base abstraction.

Acked-by: Steve Beattie <email address hidden>