commit 5f6e213d23375a34f49fe923eba4686e13e67951 Author: John Johansen Date: Mon Aug 14 14:35:16 2023 -0700 Prepare for AppArmor 4.0 alpha 2 release - update version file Signed-off-by: John Johansen commit d717adfc2f8246e2d0dc3372c40f378eafd25d42 Merge: f9036d57d 4a21bd104 Author: John Johansen Date: Mon Aug 14 21:28:40 2023 +0000 Merge parser: make attach_disconnected.path enable attach_disconnected Currently you need to use attach_disconnected with attach_disconnected.path=XXX to be able to attach to a different location than / whic is ugly and redundant. Make it so attach_disconnected.path implies attach_disconnected. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1084 Approved-by: Christian Boltz Merged-by: John Johansen commit 4a21bd104ce15dcc53d351cb17873f541d0452b9 Author: John Johansen Date: Mon Aug 14 13:28:31 2023 -0700 parser: make attach_disconnected.path enable attach_disconnected Currently you need to use attach_disconnected with attach_disconnected.path=XXX to be able to attach to a different location than / whic is ugly and redundant. Make it so attach_disconnected.path implies attach_disconnected. Signed-off-by: John Johansen commit f9036d57de8229b7d0f98c4cf10be2dc45e6ba37 Merge: 8eee4de83 c87dd7985 Author: John Johansen Date: Mon Aug 14 20:28:26 2023 +0000 Merge document that attach_disconnected.path expexts =PATH MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1083 Approved-by: John Johansen Merged-by: John Johansen commit c87dd7985f7b320850558f3421ba7604961970c6 Author: Christian Boltz Date: Mon Aug 14 22:22:02 2023 +0200 document that attach_disconnected.path expexts =PATH commit 8eee4de83eb198a22760461bbb98eb3199512cb0 Merge: 03669ae3d dbb2a1d0b Author: John Johansen Date: Mon Aug 14 14:15:25 2023 +0000 Merge parser: add support for attach_disconnected.path Add support for specifying the path prefix used when attach disconnected is specified. TODO: add regression tests Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/661 Approved-by: John Johansen Merged-by: John Johansen commit dbb2a1d0bbb0dbb71b5004838b348ae05ba1b9c4 Author: John Johansen Date: Fri Jun 30 01:30:09 2023 -0700 tests: regression, add basic regression tests Add a couple basic attach disconnected regression tests Signed-off-by: John Johansen commit b46b2662fffea883f91e2b102a0463fc1eb0acb8 Author: John Johansen Date: Tue Oct 20 03:53:06 2020 -0700 parser: add support for attach_disconnected.path Add support for specifying the path prefix used when attach disconnected is specified. The kernel supports prepending a different value than / when a path is disconnected. Expose through a profile flag. Signed-off-by: John Johansen commit 03669ae3df9d8b3955a5af5635c5514f95237a65 Merge: 941118c69 46debcc49 Author: John Johansen Date: Mon Aug 14 07:55:31 2023 +0000 Merge Add aa-logprof test framework ... and a simple test for a single (fake) event for ping. Notes: - to let aa-logprof work in the CI environment, we need to skip checking for the AppArmor mountpoint. Introduce --no-check-mountpoint for this. - PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when starting aa-logprof via subprocess.Popen() - if the test runs with coverage enabled, it will also start aa-logprof with coverage (parameters copied from Makefile). Speaking about coverage - this test adds 4% overall coverage, and 10% more coverage for apparmor/aa.py. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1082 Approved-by: John Johansen Merged-by: John Johansen commit 941118c69967f089f6acf6f15454ecb3f4580ec9 Merge: 65de34f46 37ffc6eac Author: John Johansen Date: Mon Aug 14 07:54:19 2023 +0000 Merge profiles: allow for the default dovecot libexecdir Though many Linux distros choose to pass _/usr/lib_ as the libexecdir while configuring dovecot, such as [Debian](https://sources.debian.org/src/dovecot/1%3A2.3.20%2Bdfsg1-1/debian/rules/#L132) and [Arch](https://gitlab.archlinux.org/archlinux/packaging/packages/dovecot/-/blob/main/PKGBUILD#L76), others like Alpine Linux and Gentoo don't pass anything as libexecdir, allowing it to default to _/usr/libexec_. Both appear to be valid. From [FHS 3.0, Chapter 4.7](https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html): > Some previous versions of this document did not support _/usr/libexec_, despite it being standard practice in a number of environments. To accomodate this restriction, it became common practice to use _/usr/lib_ instead. Either practice is now acceptable, but each application must choose one way or the other to organize itself. Allow for the default libexec subdir _/usr/libexec/dovecot_ as well as the more common _/usr/lib/dovecot_. Signed-off-by: Peter Levine MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1080 Approved-by: John Johansen Merged-by: John Johansen commit 46debcc4930572a2637ecf58bf4349c88700ce4c Author: Christian Boltz Date: Sun Aug 13 16:44:14 2023 +0200 Add aa-logprof test framework ... and a simple test for a single (fake) event for ping. Notes: - to let aa-logprof work in the CI environment, we need to skip checking for the AppArmor mountpoint. Introduce --no-check-mountpoint for this. - PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when starting aa-logprof via subprocess.Popen() - if the test runs with coverage enabled, it will also start aa-logprof with coverage (parameters copied from Makefile). Speaking about coverage - this test adds 4% overall coverage, and 10% more coverage for apparmor/aa.py. commit 65de34f4623f697f3bf3d5c5884202614cb3448d Merge: 313366fbb d6bc10794 Author: Christian Boltz Date: Sun Aug 13 15:02:45 2023 +0000 Merge Add `include if exists ` to all tunables (except the deprecated tunables/sys) This allows users to extend variables without editing the main tunables files. It also allows to cleanly introduce new tunable files (via tunables/global.d) and new aliases (via tunables/alias.d). Note: some files already had `include `. These get changed to `include if exists`, and the comments for these includes get unified. Also extend make check to ensure that all tunables include tunables/$FILE.d Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347 I propose this patch for 3.0..master. Closes #347 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1077 Approved-by: timeout Merged-by: Christian Boltz commit 37ffc6eac80e174cb3f7613d9931e9ea38643f6e Author: Peter Levine Date: Thu Aug 3 01:00:48 2023 -0400 profiles: allow for the default dovecot libexecdir Allow for the default libexec subdir, /usr/libexec/dovecot, as well as the more common /usr/lib/dovecot. Signed-off-by: Peter Levine commit 313366fbbc51d1d84500ea43549b940e8ffbcc14 Merge: 93dff6a80 64c1eb9cd Author: John Johansen Date: Wed Aug 2 11:13:40 2023 +0000 Merge parser: fix encoding of unix permissions for setopt and getopt The permissions for AA_NET_OPT need to be bounded by mask so we can make sure it matches when a policy specified only setopt or only getopt. This was causing failures on the regression tests unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and unix_socket_autobind Fixes: 44f3be091 ("parser: convert the stored audit from a bit mask to a bool") Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1079 Approved-by: John Johansen Merged-by: John Johansen commit 64c1eb9cda0e80ff2c5b6ef391ca64a5deaeffb4 Author: Georgia Garcia Date: Tue Aug 1 16:20:20 2023 -0300 tests: fix feature test Fixes: 81f0b84d ("tests: fix feature checking if it's a directory") Signed-off-by: Georgia Garcia commit 210ad63cbf17327811f40250c6fd34c30b19c723 Author: Georgia Garcia Date: Tue Aug 1 14:19:31 2023 -0300 parser: fix encoding of unix permissions for setopt and getopt The permissions for AA_NET_OPT need to be bounded by mask so we can make sure it matches when a policy specified only setopt or only getopt. This was causing failures on the regression tests unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and unix_socket_autobind Fixes: 44f3be091 ("parser: convert the stored audit from a bit mask to a bool") Signed-off-by: Georgia Garcia commit 93dff6a806f70939fcf286d21cfa8a4e9e6f7428 Merge: 80f7add3b e5dace9ff Author: John Johansen Date: Mon Jul 31 04:10:33 2023 +0000 Merge parser: add support for prompt profile mode Add support for the prompt profile flag. That allows policy to do an upcall to userspace if supported by the kernel and if a userspace daemon is available. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1062 Approved-by: John Johansen Merged-by: John Johansen commit e5dace9ffd0cca77f53dd05fe518bdca4850e74c Author: John Johansen Date: Thu Dec 5 14:20:24 2019 -0800 parser: add support for prompt profile mode Add support for the prompt profile mode. Signed-off-by: John Johansen commit 80f7add3b72530fb792ca6c30538dacd2f328c40 Merge: c2b8ca1b2 7dc0254b9 Author: John Johansen Date: Mon Jul 31 02:40:23 2023 +0000 Merge Add option to log aa-logprof json input and output Add a json_log option (default: disabled) to logprof.conf that enables logging of all aa-logprof and aa-genprof input and output to a /tmp/aa-jsonlog-* file. This can be useful for debugging, and maybe also to create tests that do a full aa-logprof run. This patch introduces a minor behaviour change if aa-logprof errors out on startup (for example if the config file is broken or the parser can't be found): Before: ``` $ aa-logprof --json {"dialog": "apparmor-json-version","data": "2.12"} ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` After: ``` $ aa-logprof --json ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` Note that the json version line will not be printed if aa-logprof or aa-genprof error out that early. If there are no startup errors, the behaviour will not change. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1078 Approved-by: John Johansen Merged-by: John Johansen commit c2b8ca1b28a9a53d9ab39b849ea19ccfadb634b2 Merge: 17a521ff5 018efdeb9 Author: John Johansen Date: Mon Jul 31 02:39:44 2023 +0000 Merge firefox: fix app name and DBus access Minor fixes for the firefox profile: 1. The attachment spec was failing to match `/usr/lib/firefox-esr/firefox-esr` on Debian; 2. The `Mounted` method of `org.gtk.vfs.MountTracker` is received, not sent. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1076 Approved-by: John Johansen Merged-by: John Johansen commit 7dc0254b906c3c7b2590b21457eb921d0d391684 Author: Christian Boltz Date: Sun Jul 30 21:14:36 2023 +0200 Add option to log aa-logprof json input and output Add a json_log option (default: disabled) to logprof.conf that enables logging of all aa-logprof and aa-genprof input and output to a /tmp/aa-jsonlog-* file. This can be useful for debugging, and maybe also to create tests that do a full aa-logprof run. This patch introduces a minor behaviour change if aa-logprof errors out on startup (for example if the config file is broken or the parser can't be found): Before: ``` $ aa-logprof --json {"dialog": "apparmor-json-version","data": "2.12"} ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` After: ``` $ aa-logprof --json ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` Note that the json version line will not be printed if aa-logprof or aa-genprof error out that early. If there are no startup errors, the behaviour will not change. commit d6bc107940c1abb648afdcf4fbd231e6042d2ed1 Author: Christian Boltz Date: Sun Jul 30 00:58:21 2023 +0200 make check: ensure that all tunables include tunables/$FILE.d (except the deprecated tunables/sys) commit 5657799dc7c055d1ed203b8cae5c41c96cb97002 Author: Christian Boltz Date: Sun Jul 30 00:47:34 2023 +0200 Add `include if exists ` to all tunables (except the deprecated tunables/sys) This allows users to extend variables without editing the main tunables files. It also allows to cleanly introduce new tunable files (via tunables/global.d) and new aliases (via tunables/alias.d). Note: some files already had `include `. These get changed to `include if exists`, and the comments for these includes get unified. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347 commit 018efdeb9db23dc46a1e5cba89ce11de337b7580 Author: Daniel Richard G Date: Tue Jul 25 20:04:26 2023 -0400 firefox: fix app name and DBus access commit 17a521ff5051d4e36c38d2cb760d0d97773f5a8d Merge: 853b13853 f1ab009a0 Author: John Johansen Date: Wed Jul 19 21:17:35 2023 +0000 Merge ask_exec: Stop checking for CMD_nx (named exec) ... because it gets translated to CMD_px or CMD_cx earlier in the function. Also add a safety check for unknown answers. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1072 Approved-by: John Johansen Merged-by: John Johansen commit 853b138537dba058d49da5a9f0f1f4b7511dc472 Merge: d6673f95d 94082cc5e Author: John Johansen Date: Wed Jul 19 21:16:36 2023 +0000 Merge libapparmor: fix dynamic linkage It appears that lto1 does not support -dynamic, and that ld no longer documents -dynamic. Which results in the following build failure when usine lto1 for link time optimizations ``` [ 45s] libtool: link: gcc -shared -fPIC -DPIC .libs/grammar.o .libs/libaalogparse.o .libs/kernel.o .libs/scanner.o .libs/private.o .libs/features.o .libs/kernel_interface.o .libs/policy_cache.o .libs/PMurHash.o -flto-partition=none -O2 -fstack-protector-strong -flto=auto -dynamic -Wl,--version-script=../src/libapparmor.map -flto=auto -pthread -Wl,-soname -Wl,libapparmor.so.1 -o .libs/libapparmor.so.1.17.0 [ 45s] lto1: warning: unrecognized gcc debugging option: y [ 45s] lto1: warning: unrecognized gcc debugging option: n [ 45s] lto1: warning: unrecognized gcc debugging option: m [ 45s] lto1: warning: unrecognized gcc debugging option: i [ 45s] lto1: warning: unrecognized gcc debugging option: c ``` Switch to -Bdynamic which is documented. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1071 Approved-by: Georgia Garcia Approved-by: Christian Boltz Merged-by: John Johansen commit d6673f95d2181b037dc831d9c0756500decc6196 Merge: b2274a7f5 81f0b84da Author: John Johansen Date: Wed Jul 19 21:16:23 2023 +0000 Merge tests: fix feature checking if it's a directory The test to check if the kernel supports a feature covers two cases: 1. The file/directory indicates a feature is supported. 2. The feature is supported if it's in the contents of the file. When the intended check is for case 1, and the file does not exist, then the code checks if it's case 2, but since it was not supposed to be, we end up grepping a directory, causing an error message. Fix this by checking if we're grepping a file. Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1074 Approved-by: John Johansen Merged-by: John Johansen commit b2274a7f5db15e9b6c50e36d306ff0127dd23b37 Merge: b6bd4f542 10529a6db Author: John Johansen Date: Wed Jul 19 21:14:45 2023 +0000 Merge Revert "policy: pin policy to 4.0 abi for dev" This reverts commit 460c3d5b59d020d363ffcf9f61787850ecc0c3e0. The 4.0 ABI was pinned for the development cycle but it can cause in-tree uses of parser/parser.conf to fail if it cannot find the 4.0 file in /etc/apparmor.d/abi/. Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1073 Approved-by: John Johansen Merged-by: John Johansen commit 81f0b84da516c0f5511c8ea7a958e7ca795331f7 Author: Georgia Garcia Date: Tue Jul 18 17:58:54 2023 -0300 tests: fix feature checking if it's a directory The test to check if the kernel supports a feature covers two cases: 1. The file/directory indicates a feature is supported. 2. The feature is supported if it's in the contents of the file. When the intended check is for case 1, and the file does not exist, then the code checks if it's case 2, but since it was not supposed to be, we end up grepping a directory, causing an error message. Fix this by checking if we're grepping a file. Signed-off-by: Georgia Garcia commit 10529a6db704a62d9b66b768d3a5a29097b26636 Author: Georgia Garcia Date: Wed Jul 19 17:36:46 2023 -0300 Revert "policy: pin policy to 4.0 abi for dev" This reverts commit 460c3d5b59d020d363ffcf9f61787850ecc0c3e0. The 4.0 ABI was pinned for the development cycle but it can cause in-tree uses of parser/parser.conf to fail if it cannot find the 4.0 file in /etc/apparmor.d/abi/. Signed-off-by: Georgia Garcia commit f1ab009a095f1c5d3678f29cf37ee5b7a9382d5a Author: Christian Boltz Date: Wed Jul 19 21:29:33 2023 +0200 ask_exec: Stop checking for CMD_nx (named exec) ... because it gets translated to CMD_px or CMD_cx earlier in the function. Also add a safety check for unknown answers. commit 94082cc5e4d870594c45913022068a8bd392a9f1 Author: John Johansen Date: Mon Jul 17 21:04:11 2023 -0700 libapparmor: fix dynamic linkage It appears that lto1 does not support -dynamic, and that ld no longer documents -dynamic. Which results in the following build failure when usine lto1 for link time optimizations [ 45s] libtool: link: gcc -shared -fPIC -DPIC .libs/grammar.o .libs/libaalogparse.o .libs/kernel.o .libs/scanner.o .libs/private.o .libs/features.o .libs/kernel_interface.o .libs/policy_cache.o .libs/PMurHash.o -flto-partition=none -O2 -fstack-protector-strong -flto=auto -dynamic -Wl,--version-script=../src/libapparmor.map -flto=auto -pthread -Wl,-soname -Wl,libapparmor.so.1 -o .libs/libapparmor.so.1.17.0 [ 45s] lto1: warning: unrecognized gcc debugging option: y [ 45s] lto1: warning: unrecognized gcc debugging option: n [ 45s] lto1: warning: unrecognized gcc debugging option: m [ 45s] lto1: warning: unrecognized gcc debugging option: i [ 45s] lto1: warning: unrecognized gcc debugging option: c Switch to -Bdynamic which is documented. Signed-off-by: John Johansen commit b6bd4f5421c68a7abc0c2e69863a64fd68931590 Merge: a271b2474 87896b949 Author: Steve Beattie Date: Thu Jul 13 13:43:26 2023 -0500 parser: improve errors.py test coverage, convert to unittest.main Merge the following commits: - [12cf66ff0] parser/errors.py: check error message + error code for non-existent profiles - [87896b949] parser/errors.py: convert to unittest.main() MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070 Signed-off-by: Steve Beattie Approved-by: John Johansen commit 87896b949641d026ca95cb033cdaf273af811b66 Author: Steve Beattie Date: Thu Jul 13 12:31:42 2023 -0500 parser/errors.py: convert to unittest.main() Do this to simplify test identification, and also support the different invocation mechanisms of unittest, like running individual tests. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070 Signed-off-by: Steve Beattie Approved-by: John Johansen commit 12cf66ff0bacdbf990b81731c9d99d403a11e9dc Author: Steve Beattie Date: Tue Jul 11 14:20:55 2023 -0500 parser/errors.py: check error message + error code for non-existent profiles Add tests for passing the parser a file that doesn't exist, a symlink to a file that doesn't exist, and a directory that contains that latter. Also include tests for different levels of -j passed as an argument. These tests are based on the fixing commit 125931950838 ("parser: Fix parser failing to handle errors when setting up work") MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070 Signed-off-by: Steve Beattie Approved-by: John Johansen commit a271b2474cda2190f067cb137e9baf9c4d92299d Author: Georgia Garcia Date: Tue Jul 11 13:23:38 2023 -0300 Prepare for AppArmor 4.0 alpha release - update version file - update library version Signed-off-by: Georgia Garcia commit 3cd2baccddaa6affe1378e6b056cac74a106c717 Merge: 74b101faa 5e8567c9e Author: Georgia Garcia Date: Tue Jul 11 12:10:23 2023 +0000 Merge parser: rework perms rule merging Instead of pushing the cmp logic for rule merging into each rule class make it the default behavior for the perms_rule_t parent class. Also save off the original perms for the merged rule. For classes that don't want perms merging add an alternate dedup_perms_rule_t clase. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1069 Approved-by: Georgia Garcia Merged-by: Georgia Garcia commit 5e8567c9e95ba61d08ef8113230ce4ac4cd373e2 Author: John Johansen Date: Mon Jul 10 20:04:53 2023 -0700 parser: rework perms rule merging Instead of pushing the cmp logic for rule merging into each rule class make it the default behavior for the perms_rule_t parent class. Also save off the original perms for the merged rule. For classes that don't want perms merging add an alternate dedup_perms_rule_t clase. Signed-off-by: John Johansen commit 74b101faa810ee27926e4f3836fd2f6aa644979f Merge: 1dfd26aea 24f834b12 Author: John Johansen Date: Tue Jul 11 02:26:10 2023 +0000 Merge parser: improve dfa generation speedup and reduce memory usage of dfa generation A variety of changes to improve dfa generation - By switching to Nodevec instead of Node sets we can reduce memory usage slightly and reduce code - By using charsets for chars we reduce code and increase chances of node merging/reduction which reduces memory usage slightly - By merging charsets we reduce the number of nodes Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1066 Approved-by: John Johansen Merged-by: John Johansen commit 1dfd26aea7388b87f9d07040b5efa36ca136dd59 Merge: 806b097d9 cdb5e501d Author: John Johansen Date: Tue Jul 11 02:18:45 2023 +0000 Merge parser: add permission merging By changing the compare function from each rule to use class_rule_t, instead of perms_rule_t, we temporarily ignore if permissions are different. If every rule attribute is the same, then the permissions can be merged. This is done at the perms_rule_t's level. Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1068 Approved-by: John Johansen Merged-by: John Johansen commit 806b097d9a974fd00dd0c3529142514beb180138 Merge: 1279f85e4 88baa2879 Author: John Johansen Date: Mon Jul 10 21:05:21 2023 +0000 Merge tests: only compile and run io_uring tests if liburing-dev is installed Compiling of io_uring tests fail if liburing-dev is not installed. Also, the tests were not running as part of the test suite. Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1067 Approved-by: John Johansen Merged-by: John Johansen commit cdb5e501d611f15f40aa0f61a9e19531ad2bc7ee Author: Georgia Garcia Date: Mon Jul 10 17:58:08 2023 -0300 parser: add permission merging By changing the compare function from each rule to use class_rule_t, instead of perms_rule_t, we temporarily ignore if permissions are different. If every rule attribute is the same, then the permissions can be merged. This is done at the perms_rule_t's level. Signed-off-by: Georgia Garcia commit 1279f85e4a395afba4161e6d2a0f4936b6f239e5 Merge: 3b832dd31 501e87a3f Author: John Johansen Date: Mon Jul 10 19:13:25 2023 +0000 Merge parser: Improve rule merging/dedup Currently File rules are the only rules that have rule dedup/merging performed. Extend support for rule merging to all other rule types. This can result in a small performance regression when rules can not be merged/deduped but can result in a large performance increase when lots of rules can be eliminated. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1065 Approved-by: Georgia Garcia Merged-by: John Johansen commit 3b832dd313e63e51df6976a3d2d3fa534025eebc Merge: f6b179010 eafae0dd0 Author: Georgia Garcia Date: Mon Jul 10 13:09:48 2023 +0000 Merge tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to account for kernel lockdown, but the capabilities.sh script also exercises these system calls so this also needs to be updated as well. Also required to fix issue #226. Signed-off-by: Alex Murray Closes #226 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1064 Approved-by: Georgia Garcia Merged-by: Georgia Garcia commit 501e87a3f2466f0cee6d9a16b9f823819dcc84e4 Author: John Johansen Date: Sat Jul 8 19:49:34 2023 -0700 parser: Cleanup parser control flags, so they display as expected to user Instead of having multiple tables, since we have room post split of optimization and dump flags just move all the optimization and dump flags into a common table. We can if needed switch the flag entry size to a long in the future. Signed-off-by: John Johansen commit 1754b4da699c93be8bf2c40cc1a734bf3cf82bc2 Author: John Johansen Date: Wed Jul 5 04:33:14 2023 -0700 parser: add flags to control rule merging Add the ability to control whether rule merging is done. TODO: in the furture cleanup display of flags split accross two tables Signed-off-by: John Johansen commit e84e48126305d2f2480b54811ed2e13dbe4918a6 Author: John Johansen Date: Thu Jul 6 16:41:56 2023 -0700 parser: cleanup and rework optimization and dump flag handling In preparation for more flags (not all of the backend dfa based), rework the optimization and dump flag handling which has been exclusively around the dfa up to this point. - split dfa control and dump flags into separate fields. This gives more room for new flags in the existing DFA set - rename DFA_DUMP, and DFA_CONTROL to CONTROL_DFA and DUMP_DFA as this will provide more uniform naming for none dfa flags - group dump and control flags into a structure so they can be passed together. Signed-off-by: John Johansen commit c5f2fcbb956c06725bdb948cb173231506b09f58 Author: John Johansen Date: Wed Jul 5 04:02:29 2023 -0700 parser: add rule merging for dbus rules Signed-off-by: John Johansen commit 5e713276ca8cbc8927b15ef2b88049ce50a084cf Author: John Johansen Date: Wed Jul 5 03:56:20 2023 -0700 parser: add rule merging for af_unix rules this is reuired because af_rule merging does not take into account the potential af_unix addresses and could incorrectly merge af_unix rules. Signed-off-by: John Johansen commit 00553a6dd555661707e689b357c03f95e502678a Author: John Johansen Date: Wed Jul 5 03:52:08 2023 -0700 parser: add rule mergeing for af_rules Signed-off-by: John Johansen commit 08a0970d1f8252bd3b734d72ddb0ea2b8aac516a Author: John Johansen Date: Wed Jul 5 03:44:55 2023 -0700 parser: add io_uring rule merging Signed-off-by: John Johansen commit ca976bf5cbc061825ab3c8441b64ad306585b1c4 Author: John Johansen Date: Wed Jul 5 03:41:26 2023 -0700 parser: add rule merging for mqueue rules Signed-off-by: John Johansen commit 0f660828e1aeaaffe3532a3173cc7cd623bb10ab Author: John Johansen Date: Wed Jul 5 03:37:03 2023 -0700 parser: add rule merging for ptrace rules Signed-off-by: John Johansen commit fd20c226e04f617a0712284dfd10c95202495970 Author: John Johansen Date: Wed Jul 5 03:32:44 2023 -0700 parser: add rule merging for userns rules Signed-off-by: John Johansen commit 53b99a82f6424a7cf579cbfbb3a7b78e5acfdebf Author: John Johansen Date: Wed Jul 5 03:27:03 2023 -0700 parser: add rule merging for signals Signed-off-by: John Johansen commit 3ede2c46cfdb28cf2e578ad87180e3798c9f2ce5 Author: John Johansen Date: Wed Jul 5 03:05:23 2023 -0700 parser: add rule dedup of mount rules Signed-off-by: John Johansen commit 7d9958890f4a1bf4975140776c25e639bd2dafb2 Author: John Johansen Date: Mon Jul 3 23:52:57 2023 -0700 parser: finish basic infrastructure for rule merging Currently only file rules get merged. Finish adding basic support for rule merging and make the default the behavior to dedup merge rules that are exact matches. Signed-off-by: John Johansen commit 88baa287999e96879de813e40be742df496b2932 Author: Georgia Garcia Date: Wed Jul 5 11:06:14 2023 -0300 common: fix newline on Makefile rules The required extra newline was removed unintentionally in 0b719e4f8. Signed-off-by: Georgia Garcia commit 502b83a2a672d33129f6ad25eaa1322b03a8fafd Author: Georgia Garcia Date: Wed Jul 5 11:05:02 2023 -0300 tests: only compile and run io_uring tests if liburing-dev is installed Compiling of io_uring tests fail if liburing-dev is not installed. Also, the tests were not running as part of the test suite. Signed-off-by: Georgia Garcia commit dbca8ebb896124bd444f862a49a22e7990dffe75 Author: John Johansen Date: Mon Jul 3 01:41:43 2023 -0700 parser: Improve the rule skip test. Rules can be marked as being deleted/merged, and should be skipped on further processing. Signed-off-by: John Johansen commit eafae0dd038d3e5231a988da423fc859326e9e17 Author: Alex Murray Date: Wed Jul 5 11:32:24 2023 +0930 tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to account for kernel lockdown, but the capabilities.sh script also exercises these system calls so this also needs to be updated as well. Also required to fix issue #226. Signed-off-by: Alex Murray commit f6b179010ec0e101e9cacce31139d611f3650348 Merge: 5dda59334 367babf9c Author: John Johansen Date: Tue Jul 4 06:58:16 2023 +0000 Merge parser: add support for exposing a debug flag to policy Allowing access to a debug flag can greatly improve policy debugging. This is different than the debug mode of old, that was removed. It only will trigger additional messages to the kernel ring buffer, not the audit log, and it does not change mediation. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1060 Approved-by: Georgia Garcia Merged-by: John Johansen commit 5dda5933455d5b0e24f50e1681490bae2750ad4e Merge: 7393aaac2 460c3d5b5 Author: John Johansen Date: Tue Jul 4 06:57:52 2023 +0000 Merge policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1061 Approved-by: Christian Boltz Merged-by: John Johansen commit 7393aaac212284cdbea395f6715d4e68bb8691e7 Merge: 271f0e236 6ca499210 Author: John Johansen Date: Tue Jul 4 06:52:33 2023 +0000 Merge tests/regression/apparmor/syscall.sh: fail iopl/ioperm with lockdown When kernel lockdown is enabled the ioperm and iopl tests will fail regardless since lockdown prevents these syscalls before AppArmor has a chance to mediate them. So workaround this by detecting when lockdown is enabled and expect the tests to fail in that case. Fixes issue #226. Signed-off-by: Alex Murray Closes #226 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1063 Approved-by: John Johansen Merged-by: John Johansen commit 6ca4992107d0306cf8c3a0324757685c3cb9d56b Author: Alex Murray Date: Tue Jul 4 15:45:45 2023 +0930 tests/regression/apparmor/syscall.sh: fail iopl/ioperm with lockdown When kernel lockdown is enabled the ioperm and iopl tests will fail regardless since lockdown prevents these syscalls before AppArmor has a chance to mediate them. So workaround this by detecting when lockdown is enabled and expect the tests to fail in that case. Fixes issue #226. Signed-off-by: Alex Murray commit 24f834b128b528596bffc7bf94da3336a9929815 Author: John Johansen Date: Sun Jul 2 13:33:17 2023 -0700 parser: allow character sets to be used as exact match permissions character sets are just a way of enumerating to exact match rules more succinctly, so loosen the exact match check to allow them. Signed-off-by: John Johansen commit 9e9ca7e55d47f0a236f19b2d0d6c6f4bcafe2c90 Author: John Johansen Date: Sat Jan 30 02:34:37 2021 -0800 Drop code that is now unused because of the conversion to NodeVec Drop NodeCache and hashedNodes as they are no longer used. Signed-off-by: John Johansen commit 61c20a0ae8af3d5897dfe06c5c742ec28554d8e6 Author: John Johansen Date: Sat Jan 30 02:32:38 2021 -0800 convert anodes to using NodeVecs instead of NodeSets Signed-off-by: John Johansen commit 53d00b4d2bcd52eb59399edf31847844c29731eb Author: John Johansen Date: Sat Jan 30 02:23:54 2021 -0800 rename hashedNodeVec to NodeVec Shorten the name length by dropping the leading "hashed". Signed-off-by: John Johansen commit 3f6ebfd218b73c3d0153a4f1c0302f5106b424b1 Author: Daniel Richard G Date: Tue Jun 20 22:56:57 2023 -0400 firefox: updates from usage monitoring commit 367babf9cbd216498c5c3ce1e41c8a2a5c6776b7 Author: John Johansen Date: Fri Jun 30 10:48:22 2023 -0700 parser: add support for exposing a debug flag to policy Allowing access to a debug flag can greatly improve policy debugging. This is different than the debug mode of old, that was removed. It only will trigger additional messages to the kernel ring buffer, not the audit log, and it does not change mediation. Signed-off-by: John Johansen commit 460c3d5b59d020d363ffcf9f61787850ecc0c3e0 Author: John Johansen Date: Fri Jun 30 23:43:40 2023 -0700 policy: pin policy to 4.0 abi for dev TO BE REVERTED: this is a dev patch to help make sure policy is getting updated. Signed-off-by: John Johansen commit f1b4da2f64459c1715b8c2157e33ebd2e26ab253 Author: John Johansen Date: Fri Jun 30 23:36:12 2023 -0700 policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen commit 271f0e2366dd306c63e21aaf7dac5f9fadfbba59 Merge: 5b7e63787 dc5d999c5 Author: John Johansen Date: Sat Jul 1 01:06:17 2023 +0000 Merge firefox: updates from usage monitoring I have a number of updates for the Firefox profile, based on monitoring AppArmor logs in the course of my own usage. I'm going to try annotating the diff with the appropriate log messages, to see if that is a useful way of documenting the changes. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1055 Approved-by: John Johansen Merged-by: John Johansen commit 5b7e637872a4308ef35aa55369c5888013d96ca4 Merge: 162aa447d 07919c2c7 Author: John Johansen Date: Sat Jul 1 01:05:46 2023 +0000 Merge abstractions/fonts: allow writing to fontconfig user cache files Apologies for the second push; this change is made with the understanding that the abstraction is not intended to be solely read-only. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1059 Approved-by: John Johansen Merged-by: John Johansen commit dc5d999c5bb6ada652bb9e25a3205714e24ca901 Author: Daniel Richard G Date: Tue Jun 20 22:56:57 2023 -0400 firefox: updates from usage monitoring commit 07919c2c7018ddbda177b5ba8203bbf81b37ae50 Author: Daniel Richard G Date: Fri Jun 30 18:26:03 2023 -0400 abstractions/fonts: allow writing to fontconfig user cache files commit 162aa447d2c304a811b636812e1b224429ec1fe6 Merge: 15492fe8c 3b51143d8 Author: John Johansen Date: Fri Jun 30 17:45:32 2023 +0000 Merge abstractions/fonts: allow locking fontconfig user cache files Got this after allowing `rw` access to `~/.cache/fontconfig/**`: `Jun 20 00:41:26 testvm kernel: [3280307.358614] audit: type=1400 audit(1687236086.210:127519): apparmor="DENIED" operation="file_lock" profile="firefox" name="/home/username/.cache/fontconfig/a41116dafaf8b233ac2c61cb73f2ea5f-le64.cache-7" pid=1758224 comm="firefox" requested_mask="k" denied_mask="k" fsuid=1002 ouid=1002` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1057 Approved-by: John Johansen Merged-by: John Johansen commit 15492fe8c95eee08b41dbea1d79e014c80b33740 Merge: ab218526b b0902a34d Author: John Johansen Date: Fri Jun 30 17:43:51 2023 +0000 Merge binutils: fix resource leak on aa-load Dir "d" is not closed when asprintf fails. Found by coverity: CID 321416: Resource leaks (RESOURCE_LEAK) Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1058 Approved-by: John Johansen Merged-by: John Johansen commit b0902a34d1cde1b23290d451f6b332aa2318a490 Author: Georgia Garcia Date: Fri Jun 30 10:00:29 2023 -0300 binutils: fix resource leak on aa-load Dir "d" is not closed when asprintf fails. Found by coverity: CID 321416: Resource leaks (RESOURCE_LEAK) Signed-off-by: Georgia Garcia commit ab218526bf50b36ab26b3d2aa76814b8823c71a3 Merge: fef3eb369 e7844e723 Author: John Johansen Date: Fri Jun 30 07:02:34 2023 +0000 Merge parser: Remove check for root to run parser The check isn't correct, it should be checking for capability MAC_ADMIN, but in the future that won't be correct either. Instead rely on the kernel to check permission to load policy, which it alread does as it is possible to by-pass the parser to load policy. Also improve the error message when the kernel does deny loading policy due to failed permission checks. Signed-off-by: John Johansen MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1044 Approved-by: Seth Arnold Merged-by: John Johansen commit 3b51143d871c4c5e095a330f2481adbd3a89fbaa Author: Daniel Richard G Date: Thu Jun 29 21:26:05 2023 -0400 abstractions/fonts: allow locking fontconfig user cache files commit e7844e723e353c07cceb15ac342e5b113814720c Author: John Johansen Date: Tue May 30 15:04:48 2023 -0700 parser: Remove check for root to run parser The check isn't correct, it should be checking for capability MAC_ADMIN, but in the future that won't be correct either. Instead rely on the kernel to check permission to load policy, which it alread does as it is possible to by-pass the parser to load policy. Also improve the error message when the kernel does deny loading policy due to failed permission checks. Signed-off-by: John Johansen commit fef3eb36936724a24fdccb89f4d1a9f3f2d06f18 Merge: d788af089 cb2292922 Author: John Johansen Date: Thu Jun 29 21:38:02 2023 +0000 Merge add userspace support for io_uring mediation ``` io_uring rules have the following format: io_uring [] [