AppArmor

apparmor:master

  1. Git
  2. lp:apparmor
  3. master
Last commit made on 2024-06-05
Get this branch:
git clone -b master https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
master
Repository:
lp:apparmor

Recent commits

70ddb0c... by Christian Boltz

Merge profiles: installation of php-fpm needs w @{run}/systemd/notify

Installation of php-fpm fails on Ubuntu because the profile does not allow writing to /run/systemd/notify.

Fixes: https://bugs.launchpad.net/bugs/2061113

Signed-off-by: Georgia Garcia <email address hidden>

I propose this fix for 4.0 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1251
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

49aa7ae... by Georgia Garcia

profiles: installation of php-fpm needs w @{run}/systemd/notify

Installation of php-fpm fails on Ubuntu because the profile does not
allow writing to /run/systemd/notify.

Fixes: https://bugs.launchpad.net/bugs/2061113

Signed-off-by: Georgia Garcia <email address hidden>

a6a1211... by Christian Boltz

Merge Add openSUSE path to plasmashell profile

While on it,
- add some comments explaining what the profile does
- adjust the rule with the Debian/Ubuntu path to work with Qt6

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961

I propose this fix for 4.0 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1248
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Christian Boltz <email address hidden>

64469af... by Christian Boltz

Add openSUSE path to plasmashell profile

While on it,
- add some comments explaining what the profile does
- adjust the rule with the Debian/Ubuntu path to work with Qt6

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961

5adeb86... by Christian Boltz

Merge abstractions/nameservice: allow reading @{PROC}/@{pid}/net/ipv6_route

This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:

```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```

Signed-off-by: Simon Deziel <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1246
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

7770cd7... by Simon Déziel

abstractions/nameservice: allow reading @{PROC}/@{pid}/net/ipv6_route

This file contains the same kind of information as @{PROC}/@{pid}/net/route
and both files are world readable:

```
$ ls -l /proc/self/net/*route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route
-r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route
```

Signed-off-by: Simon Deziel <email address hidden>

32dc6cd... by Steve Beattie <email address hidden>

Merge regression tests: clean up userns_setns.c

Initialize 'ret' variable to EXIT_FAILURE instead of doing so
in every error handling. Also fixes error handling in the case that mkfifio() fails.

Signed-off-by: Leesoo Ahn <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1245
Approved-by: Steve Beattie <email address hidden>
Merged-by: Steve Beattie <email address hidden>

a0a4744... by Leesoo Ahn <email address hidden>

regression tests: clean up userns_setns.c

Initialize 'ret' variable to EXIT_FAILURE instead of doing so
in every error handling.

Signed-off-by: Leesoo Ahn <email address hidden>

920120f... by John Johansen <email address hidden>

Merge utils: fix removing unknown profiles that contain spaces

aa-remove-unknown doesn't deal properly with profiles that contain
spaces in their names.

Using profile "MongoDB Compass" as an example, awk's sub returns the
number of matches - either 1 or 0 and replaces the actual string ($0)
with the substitution. By accessing the return of sub with $, awk
would be accessing $1 which would return only "MongoDB".
Fix this by using $0 instead of $str.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395

Signed-off-by: Georgia Garcia <email address hidden>

Closes #395
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1243
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

b460539... by John Johansen <email address hidden>

Merge profiles/Makefile: Clean up rules to better support extra profiles

In the course of preparing !1207, I found that the validation rules in `profiles/Makefile` did not take kindly to the new `profiles/apparmor/profiles/extras/abstractions/` directory. I tried a couple rounds of quick fixes, but it became clear that the rules as currently written were just not amenable to the new addition, and needed more attention than I could give it by-the-by.

So I separated out that commit, and revised the makefile more thoroughly. The updated rules now rely more on `find(1)` than `$(wildcard)`, and have a number of [what I believe to be] small quality-of-life improvements. Taken together, `make check` passes cleanly with the new files from my other MR present.

One thing I noticed was that the profiles under `apparmor.d/` were not previously being checked for the `include if exists <local/*>` bit---only the ones under `extras/`. I've thus included a fix to the `sbuild-shell` profile, which fortunately was the only one that failed the check.

Note that at present, you'll get a couple of harmless `find: ‘./apparmor/profiles/extras/abstractions’: No such file or directory` errors when running the checks, since that directory won't appear until the other MR is merged. I figure, better to bear that for now, and not have to touch the makefile again later.

NOTE: The CI pipeline here will need to be updated to invoke the `check-local` target instead of `check-extras`. This target was renamed as it is no longer limited in scope to the profiles under `extras/`.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1214
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>