lp://qastaging/apparmor
- Get this branch:
- bzr branch lp://qastaging/apparmor
Branch merges
Branch information
Import details
This branch is an import of the HEAD branch of the Git repository at https://gitlab.com/apparmor/apparmor.git.
Last successful import was .
Recent revisions
- 4068. By Christian Boltz <email address hidden>
-
Merge branch 'cboltz-
complex- profile- name' into 'master' Add some tests for complex profile names
See merge request apparmor/
apparmor! 360 Acked-by: Eric Chiang <email address hidden>
- 4067. By John Johansen <email address hidden>
-
Merge branch 'identd' into 'master'
identd: Add network netlink dgram
identd requires access to network netlink dgram.
PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 353
Signed-off-by: John Johansen <email address hidden> - 4066. By John Johansen <email address hidden>
-
Adjust tests to match base abstraction update.
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 358
Acked-by: Christian Boltz <email address hidden>
Signed-off-by: John Johansen <email address hidden> - 4065. By John Johansen <email address hidden>
-
Merge branch 'base-abstracti
on-allow- all-libraries' into 'master' base abstraction: allow mr on *.so* in common library paths.
For example, VirtualBox guests have /usr/lib/
VBoxOGL. so. Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation=
"file_mmap" profile= "/usr/bin/ onionshare- gui" name="/ usr/lib/ VBoxOGL. so" pid=11415 comm="onionshar e-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
Bug-Tails: https:/
/redmine. tails.boum. org/code/ issues/ 16414 Candidate for master and 2.13.
PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 345
Signed-off-by: John Johansen <email address hidden> - 4064. By John Johansen <email address hidden>
-
dovecot: master SIGTERM child that are slow to die
When doing a service reload, I noticed the following:
```Mar 22 15:52:27 smtp dovecot: master: Warning: SIGHUP received - reloading configuration
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=35309 out=232805
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=24600 out=1688166
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=14026 out=95516
Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=13776 out=141513
Mar 22 15:52:33 smtp dovecot: master: Warning: Processes aren't dying after reload, sending SIGTERM.
Mar 22 15:52:33 smtp dovecot: master: Error: service(imap): kill(5806, 15) failed: Permission denied
Mar 22 15:52:33 smtp dovecot: master: Error: service(imap-login) : kill(5804, 15) failed: Permission denied
Mar 22 15:52:33 smtp dovecot: master: Error: service(config): kill(506, 15) failed: Permission denied
Mar 22 15:52:33 smtp kernel: [65542.184326] audit: type=1400 audit(1553284353.609:82) : apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_ mask="send" denied_mask="send" signal=term peer="/ usr/lib/ dovecot/ imap"
Mar 22 15:52:33 smtp kernel: [65542.197596] audit: type=1400 audit(1553284353.625:83) : apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_ mask="send" denied_mask="send" signal=term peer="/ usr/lib/ dovecot/ imap-login"
Mar 22 15:52:33 smtp kernel: [65542.197635] audit: type=1400 audit(1553284353.625:84) : apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_ mask="send" denied_mask="send" signal=term peer="/ usr/lib/ dovecot/ config"
Mar 22 15:52:36 smtp dovecot: imap(simon): Server shutting down. in=17882 out=104004
```The server was heavily loaded which is probably why it ended up trying to SIGTERM those.
PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 357
Signed-off-by: John Johansen <email address hidden> - 4063. By John Johansen <email address hidden>
-
Add support for profiles with xattrs matching
Add userland support for matching based on extended file attributes. This
leverages DFA based matching already in the kernel:https:/
/git.kernel. org/pub/ scm/linux/ kernel/ git/stable/ linux.git/ commit/ ?id=8e51f908
https://git.kernel. org/pub/ scm/linux/ kernel/ git/stable/ linux.git/ commit/ ?id=73f488cd Matching is exposed via flags on the profile:
/usr/bin/* xattrs=
(user.foo= bar user.bar=foo) {
# ...
}xattr values are appended to the existing xmatch via a null transition.
$ echo '/usr/bin/* xattrs=
(user.foo= foo user.bar=bar) {}' | \
./parser/ apparmor_ parser -QT -D expr-tree
DFA: Expression Tree
/usr/bin/[^\ 0000/]( [^\0000/ ])*(\0000bar) ?(\0000foo) ?< 0x1>
DFA: Expression Tree
(\a|(\n|(\0002| \t)))< 0x4> Tested manually on a 4.19 kernel via QEMU+KVM.
TODO:
* ~~Add regression tests~~ (EDIT: done)
* ~~EDIT: add support in the tools~~ (EDIT: done)Questions for reviewers:
* ~~parser/
libapparmor: regex construction probably needs cleaning up~~ (EDIT: done)
* ~~parser/parser_ regex.c: confused what xmatch length is for~~ (EDIT: done) /cc @mjg59
PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 270
Signed-off-by: John Johansen <email address hidden> - 4062. By John Johansen <email address hidden>
-
Get rid of $MODULE, replace usage with hardcoded "apparmor"
I slightly ;-) doubt we'll change the module name.
PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 354
Signed-off-by: Christian Boltz <email address hidden>
Signed-off-by: John Johansen <email address hidden> - 4061. By John Johansen <email address hidden>
-
parser/
libapparmor_ re: remove unnecessary throw(int) Compiling the parser currently prints a deprecation warning. Remove
throw(int) annotations from function signatures. These aren't required
to catch exceptions. This gets us closer to possibly enabling '-Werror'
in the future.For example, the following program catches the exception without a
throw(int) annotation:#include <iostream>
void throw_an_error()
{
throw 3;
return;
}
int main ()
{
try
{
throw_ an_error( );
}
catch (int e)
{
std: :cout << "caught exception " << e << '\n';
}
return 0;
}This program prints:
$ g++ -o error error.cc
$ ./error
caught exception 3PR: https:/
/gitlab. com/apparmor/ apparmor/ merge_requests/ 356
Signed-off-by: Eric Chiang <email address hidden>
Signed-off-by: John Johansen <email address hidden> - 4060. By Christian Boltz <email address hidden>
-
Merge branch 'cboltz-shellcheck' into 'master'
Make shellcheck happier
See merge request apparmor/
apparmor! 355 Acked-by: Eric Chiang <email address hidden>
- 4059. By Christian Boltz <email address hidden>
-
Merge branch 'cboltz-
deprecate- kill' into 'master' drop most of apparmor_kill()
See merge request apparmor/
apparmor! 351 Acked-by: Eric Chiang <email address hidden>
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)