Merge MountRule: Relaxing constraints on fstype and completing AARE support
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
AppArmor 4.0.1 will be the official release superseding the 4.0.0 tag
the only change being it adds a regression test for CVE-2016-1585
- update version file
Signed-off-by: John Johansen <email address hidden>
5ad4efe...
by
John Johansen <email address hidden>
Merge regression tests: add mount test for CVE-2016-1585
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is
mount options=(rw,make-slave) -> **,
to try to ensure that the generated and enforced policy is restricted to
what is intended.
Signed-off-by: John Johansen <email address hidden>
c8e25e4...
by
John Johansen <email address hidden>
Merge parser: add network inet mediation documentation to apparmor.d
This updates the man page for the recent inet mediation patch.
This is an extension of MR 1202, it adds a patch that changes the anonymous ip address anon to be ip address none which is a better fit.
This patch adds documentation of the recent network changes which extended all network rules to support access permissions, and added address and port matching for inet and inet6 families.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1213
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit ab9e6311f33296bee11bdd24561a5d3b7b5bbd78)
Signed-off-by: John Johansen <email address hidden>
68dd052...
by
John Johansen <email address hidden>
Merge parser: inet conditionals should only generate rules for inet family
When a family is specified in the network rules, we have to make sure
the conditionals match the family. A netlink rule should not be able
to specify ip and port for local and remote (peer) sockets, for example.
When type or protocol is specified in network rules along with inet
conditionals, we should only generate rules for the families that
support those conditionals.