Commit 3957ddc4 authored by intrigeri's avatar intrigeri

Cherry-pick 5 more commits from upstream apparmor-2.13 branch (Closes: #921866...

Cherry-pick 5 more commits from upstream apparmor-2.13 branch (Closes: #921866 and a bunch of issues that are tracked upstream but not in the Debian BTS)
parent cd64a563
......@@ -13,6 +13,11 @@ upstream-commit-0016e02-dnsmasq-allow-peer-libvirtd-to-support-named-profile.pat
upstream-commit-9dbb1bc-audio-Fix-alsa-settings-access.patch
upstream-mr-320-audio-abstraction-grant-read-access-to-the-system-wide-as.patch
upstream-mr-320-audio-abstraction-grant-read-access-to-the-libao-configur.patch
upstream-commit-aae838f-Update-kde-abstraction-for-common-settings.patch
upstream-commit-dc3b73d-kde-fix-global-settings-access-for-Kubuntu-and-openSUSE.patch
upstream-commit-6fd3abe-vulkan-allow-reading-etc-vulkan-icd.d.patch
upstream-commit-f75ec6f-usr-merge-fixups.patch
upstream-commit-394d086-parser-Fix-parser-failing-to-handle-errors-when-setting-u.patch
debian/add-debian-integration-to-lighttpd.patch
debian/libapparmor-layout-deb.patch
debian/etc-writable.patch
......
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 20 Feb 2019 01:17:06 -0800
Subject: parser: Fix parser failing to handle errors when setting up work
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from commit cb43e57d27962039c5bc2a380936c7316575701f)
Conflicts:
parser/parser_main.c
Reason:
commit 48a32b78b189cf9e2c4d8bce8fb45c68bf4cc327 not backported
---
parser/parser.h | 14 +++++++++++--
parser/parser_main.c | 57 ++++++++++++++++++++++++++++++++++++++--------------
2 files changed, 54 insertions(+), 17 deletions(-)
diff --git a/parser/parser.h b/parser/parser.h
index e7acda6..5643f55 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -171,13 +171,23 @@ extern int preprocess_only;
#ifdef DEBUG
-#define PDEBUG(fmt, args...) fprintf(stderr, "parser: " fmt, ## args)
+#define PDEBUG(fmt, args...) \
+do { \
+ int pdebug_error = errno; \
+ fprintf(stderr, "parser: " fmt, ## args); \
+ errno = pdebug_error; \
+} while (0)
#else
#define PDEBUG(fmt, args...) /* Do nothing */
#endif
#define NPDEBUG(fmt, args...) /* Do nothing */
-#define PERROR(fmt, args...) fprintf(stderr, fmt, ## args)
+#define PERROR(fmt, args...) \
+do { \
+ int perror_error = errno; \
+ fprintf(stderr, fmt, ## args); \
+ errno = perror_error; \
+} while (0)
#ifndef TRUE
#define TRUE (1)
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 6260d02..0e3666b 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -1088,8 +1088,11 @@ do { \
work_sync_one(RESULT); \
} while (0)
+/* returns -1 if work_spawn fails, not a return value of any unit of work */
#define work_spawn(WORK, RESULT) \
-do { \
+({ \
+ int localrc = 0; \
+ do { \
/* what to do to avoid fork() overhead when single threaded \
if (jobs == 1) { \
// no parallel work so avoid fork() overhead \
@@ -1126,11 +1129,17 @@ do { \
fprintf(stderr, " JOBS SPAWN: created %ld ...\n", njobs); \
} else { \
/* error */ \
- if (debug_jobs) \
- fprintf(stderr, " JOBS SPAWN: failed error: %d) ...\n", errno); \
+ if (debug_jobs) { \
+ int error = errno; \
+ fprintf(stderr, " JOBS SPAWN: failed error: %d) ...\n", errno); \
+ errno = error; \
+ } \
RESULT(errno); \
+ localrc = -1; \
} \
-} while (0)
+ } while (0); \
+ localrc; \
+})
/* sadly C forces us to do this with exit, long_jump or returning error
@@ -1207,11 +1216,15 @@ static int profile_dir_cb(int dirfd unused, const char *name, struct stat *st,
if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
autofree char *path = NULL;
- if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0)
+ if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0) {
PERROR(_("Out of memory"));
- work_spawn(process_profile(option, cb_data->kernel_interface,
- path, cb_data->policy_cache),
- handle_work_result);
+ handle_work_result(errno);
+ return -1;
+ }
+ rc = work_spawn(process_profile(option,
+ cb_data->kernel_interface,
+ path, cb_data->policy_cache),
+ handle_work_result);
}
return rc;
}
@@ -1225,11 +1238,15 @@ static int binary_dir_cb(int dirfd unused, const char *name, struct stat *st,
if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
autofree char *path = NULL;
- if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0)
+ if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0) {
PERROR(_("Out of memory"));
- work_spawn(process_binary(option, cb_data->kernel_interface,
- path),
- handle_work_result);
+ handle_work_result(errno);
+ return -1;
+ }
+ rc = work_spawn(process_binary(option,
+ cb_data->kernel_interface,
+ path),
+ handle_work_result);
}
return rc;
}
@@ -1359,11 +1376,14 @@ int main(int argc, char *argv[])
}
/* skip stdin if we've seen other command line arguments */
if (i == argc && optind != argc)
- continue;
+ goto cleanup;
if (profilename && stat(profilename, &stat_file) == -1) {
+ last_error = errno;
PERROR("File %s not found, skipping...\n", profilename);
- continue;
+ if (abort_on_error)
+ break;
+ goto cleanup;
}
if (profilename && S_ISDIR(stat_file.st_mode)) {
@@ -1378,20 +1398,27 @@ int main(int argc, char *argv[])
cb = binary_input ? binary_dir_cb : profile_dir_cb;
if ((retval = dirat_for_each(AT_FDCWD, profilename,
&cb_data, cb))) {
+ last_error = errno;
PDEBUG("Failed loading profiles from %s\n",
profilename);
+ if (abort_on_error)
+ break;
}
} else if (binary_input) {
+ /* ignore return as error is handled in work_spawn */
work_spawn(process_binary(option, kernel_interface,
profilename),
handle_work_result);
} else {
+ /* ignore return as error is handled in work_spawn */
work_spawn(process_profile(option, kernel_interface,
profilename, policy_cache),
handle_work_result);
}
- if (profilename) free(profilename);
+ cleanup:
+ if (profilename)
+ free(profilename);
profilename = NULL;
}
work_sync(handle_work_result);
From: Christian Boltz <gitlab2@cboltz.de>
Date: Sun, 10 Feb 2019 13:40:53 +0000
Subject: vulkan: allow reading /etc/vulkan/icd.d/
See merge request apparmor/apparmor!329
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit f2c0a1132707256aa3370e6f051965fdef80d7eb)
e322c02c vulkan: allow reading /etc/vulkan/icd.d/
---
profiles/apparmor.d/abstractions/vulkan | 1 +
1 file changed, 1 insertion(+)
diff --git a/profiles/apparmor.d/abstractions/vulkan b/profiles/apparmor.d/abstractions/vulkan
index 39b5d5f..7f0d8cb 100644
--- a/profiles/apparmor.d/abstractions/vulkan
+++ b/profiles/apparmor.d/abstractions/vulkan
@@ -3,6 +3,7 @@
# System files
/dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
+ /etc/vulkan/icd.d/{,*.json} r,
/etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
# for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
@{sys}/devices/pci[0-9]*/*/drm/ r,
From: Vincas Dargis <vindrg@gmail.com>
Date: Tue, 7 Aug 2018 20:20:08 +0300
Subject: Update kde abstraction for common settings
Add rules to allow reading common KDE-specific settings, used mostly by
native KDE file dialog.
---
profiles/apparmor.d/abstractions/kde | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/profiles/apparmor.d/abstractions/kde b/profiles/apparmor.d/abstractions/kde
index 563ae03..be03995 100644
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@@ -24,6 +24,7 @@
/etc/kde3/* r,
/etc/kde4rc r,
/etc/xdg/Trolltech.conf r,
+/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
owner @{HOME}/.DCOPserver_* r,
owner @{HOME}/.ICEauthority r,
@@ -31,7 +32,14 @@ owner @{HOME}/.fonts.* lrw,
owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
owner @{HOME}/.qt/** rw,
+owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/Trolltech.conf rwk,
+owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
+owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
+owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
+owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/share/X11/XKeysymDB r,
From: Vincas Dargis <vindrg@gmail.com>
Date: Mon, 4 Feb 2019 19:59:47 +0200
Subject: kde: fix global settings access for Kubuntu and openSUSE
On Kubuntu, these denies are being produced:
```
type=AVC msg=audit(1549301888.419:91): apparmor="DENIED" operation="open"
profile="qtox"
name="/usr/share/kubuntu-default-settings/kf5-settings/kdeglobals" pid=1603
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1549301964.008:126): apparmor="DENIED" operation="open"
profile="qtox" name="/usr/share/kubuntu-default-settings/kf5-settings/breezerc"
pid=1822 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1549302031.194:155): apparmor="DENIED" operation="open"
profile="qtox"
name="/usr/share/kubuntu-default-settings/kf5-settings/baloofilerc" pid=1899
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
Meanwhile, on openSUSE:
```
type=AVC msg=audit(1549302286.921:205): apparmor="DENIED" operation="open" profile="qtox" name="/etc/xdg/kdeglobals" pid=12781 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
Add read only rules for allowing access to global KDE settings.
---
profiles/apparmor.d/abstractions/kde | 2 ++
1 file changed, 2 insertions(+)
diff --git a/profiles/apparmor.d/abstractions/kde b/profiles/apparmor.d/abstractions/kde
index be03995..cad5c7d 100644
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@@ -23,8 +23,10 @@
/etc/kderc r,
/etc/kde3/* r,
/etc/kde4rc r,
+/etc/xdg/kdeglobals r,
/etc/xdg/Trolltech.conf r,
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
+/usr/share/kubuntu-default-settings/kf5-settings/* r,
owner @{HOME}/.DCOPserver_* r,
owner @{HOME}/.ICEauthority r,
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment