lp:~talkless/apparmor/fix_user_download_nonlatin

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:apparmor/2.12 at revision 3691

Steve Beattie: Approve on 2017-08-09

intrigeri: Approve on 2017-07-03

Diff: 27 lines (+3/-3)

2 files modified

profiles/apparmor.d/abstractions/user-download (+1/-1)
profiles/apparmor.d/abstractions/user-write (+2/-2)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

3666. By Vincas Dargis on 2017-07-02

fix user-write abstraction for non-latin file names

3665. By Vincas Dargis on 2017-06-24

fix user_download abstraction for non-latin file names

3664. By Goldwyn Rodrigues on 2017-06-15

json support for logprof and genprof

From: Goldwyn Rodrigues <email address hidden>

Provides json support to tools in order to interact with other
utilities such as Yast.

The JSON output is one per line, in order to differentiate between
multiple records. Each JSON record has a "dialog" entry which defines
the type of message passed. A response must contain the "dialog"
entry. "info" message does not require a response.

"apparmor-json-version" added in order to identify the communication
protocol version for future updates.

This is based on work done by Christian Boltz.

Signed-off-by: Goldwyn Rodrigues <email address hidden>

Acked-by: Christian Boltz <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3663. By Goldwyn Rodrigues <email address hidden> on 2017-06-11

Remove yast from utils

From: Goldwyn Rodrigues <email address hidden>

This is the yast cleanup from the utils code. All yast communication
should be done with JSON interface now.

Signed-off-by: Goldwyn Rodrigues <email address hidden>

Acked-by: Christian Boltz <email address hidden>

3662. By Christian Boltz on 2017-06-06

More strict profile_storage()

This patch makes the profile_storage() data structure more strict. It
- initializes everything inside a profile with proper values
- makes the profile storage a dict() instead of a hasher(), which means
  it will complain loudly when trying to access non-existing elements
  (hasher() was more forgiving, but this also meant hiding bugs)

The patch also fixes a minor issue related to the more strict 'repo'
profile property in serialize_profile().

Acked-by: Seth Arnold <email address hidden>

3661. By Christian Boltz on 2017-05-19

Ignore ptrace log events without denied_mask

This fixes a crash in the tools.

Reported by peetaur on IRC.

Acked-by: John Johansen <email address hidden> for trunk and 2.11.

3660. By Christian Boltz on 2017-05-19

Add two parser files to .bzrignore

- parser/libapparmor_re/parse.cc is autogenerated during build
- parser/tst_lib gets compiled during "make check"

Both files get deleted by make clean.

Acked-by: John Johansen <email address hidden> for trunk and 2.11.

3659. By Christian Boltz on 2017-05-19

Fix aa-logprof crash on ptrace garbage log events

(garbage) ptrace events like
    ... apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""
cause an empty name2 field, which leads to a crash in the tools.

This patch lets logparser.py ignore such garbage log events, which also
avoids the crash.

As usual, add some testcases.

test-libapparmor-test_multi.py needs some special handling to ignore the
empty name2 field in one of the testcases.

References: https://bugs.launchpad.net/apparmor/+bug/1689667

Acked-by: Seth Arnold <email address hidden> for trunk and 2.11.

Older releases can't handle ptrace log events and therefore can't crash ;-)

3658. By Jamie Strandboge on 2017-05-04

Update base abstraction for additional journald sockets

The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
  (see systemd-cat(1)).

In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.

Signed-off-by: Jamie Strandboge <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3657. By Tyler Hicks on 2017-04-20

libapparmor: Don't print shell commands that check for test failures

Error messages should only show up in build logs when the error has been
encountered. This patch silences these shell commands from being printed
before they're interpreted.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>
Acked-by: Christian Boltz <email address hidden>