Commit 8e348ed0 authored by intrigeri's avatar intrigeri

New upstream version 2.13.2

parents 1cdc73e0 af4808b5
Pipeline #3419 failed with stages
......@@ -95,6 +95,8 @@ libraries/libapparmor/src/.deps
libraries/libapparmor/src/.libs
libraries/libapparmor/src/Makefile
libraries/libapparmor/src/Makefile.in
libraries/libapparmor/src/PMurHash.lo
libraries/libapparmor/src/PMurHash.o
libraries/libapparmor/src/af_protos.h
libraries/libapparmor/src/change_hat.lo
libraries/libapparmor/src/features.lo
......@@ -188,6 +190,7 @@ utils/*.tmp
utils/po/*.mo
utils/apparmor/*.pyc
utils/apparmor/rule/*.pyc
utils/test/common_test.pyc
utils/test/.coverage
utils/test/htmlcov/
utils/vim/apparmor.vim
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "AA-ENABLED 1"
.TH AA-ENABLED 1 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH AA-ENABLED 1 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "AA-EXEC 1"
.TH AA-EXEC 1 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH AA-EXEC 1 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "MOD_APPARMOR 8"
.TH MOD_APPARMOR 8 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH MOD_APPARMOR 8 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
git@gitlab.com:apparmor/apparmor.git apparmor-2.13 v2.13-120-g2e922a9a9b31088c
git@gitlab.com:apparmor/apparmor.git apparmor-2.13 v2.13.1-40-gaf4808b5f6b58946
......@@ -2798,7 +2798,7 @@ fi
# Define the identity of the package.
PACKAGE=libapparmor1
VERSION=2.13.1
VERSION=2.13.2
cat >>confdefs.h <<_ACEOF
......
......@@ -2798,7 +2798,7 @@ fi
# Define the identity of the package.
PACKAGE=libapparmor1
VERSION=2.13.1
VERSION=2.13.2
cat >>confdefs.h <<_ACEOF
......
......@@ -2811,7 +2811,7 @@ m4trace:configure.ac:6: -1- m4_pattern_allow([^LIBS$])
m4trace:configure.ac:6: -1- m4_pattern_allow([^build_alias$])
m4trace:configure.ac:6: -1- m4_pattern_allow([^host_alias$])
m4trace:configure.ac:6: -1- m4_pattern_allow([^target_alias$])
m4trace:configure.ac:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.13.1])
m4trace:configure.ac:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.13.2])
m4trace:configure.ac:8: -1- m4_pattern_allow([^AM_[A-Z]+FLAGS$])
m4trace:configure.ac:8: -1- AM_SET_CURRENT_AUTOMAKE_VERSION
m4trace:configure.ac:8: -1- AM_AUTOMAKE_VERSION([1.15.1])
......
......@@ -151,7 +151,7 @@ m4trace:configure.ac:6: -1- m4_pattern_allow([^host_alias$])
m4trace:configure.ac:6: -1- AC_SUBST([target_alias])
m4trace:configure.ac:6: -1- AC_SUBST_TRACE([target_alias])
m4trace:configure.ac:6: -1- m4_pattern_allow([^target_alias$])
m4trace:configure.ac:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.13.1])
m4trace:configure.ac:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.13.2])
m4trace:configure.ac:8: -1- m4_pattern_allow([^AM_[A-Z]+FLAGS$])
m4trace:configure.ac:8: -1- AM_AUTOMAKE_VERSION([1.15.1])
m4trace:configure.ac:8: -1- AC_REQUIRE_AUX_FILE([install-sh])
......@@ -176,7 +176,7 @@ configure.ac:8: the top level])
m4trace:configure.ac:8: -1- AC_SUBST([PACKAGE], [libapparmor1])
m4trace:configure.ac:8: -1- AC_SUBST_TRACE([PACKAGE])
m4trace:configure.ac:8: -1- m4_pattern_allow([^PACKAGE$])
m4trace:configure.ac:8: -1- AC_SUBST([VERSION], [2.13.1])
m4trace:configure.ac:8: -1- AC_SUBST([VERSION], [2.13.2])
m4trace:configure.ac:8: -1- AC_SUBST_TRACE([VERSION])
m4trace:configure.ac:8: -1- m4_pattern_allow([^VERSION$])
m4trace:configure.ac:8: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE])
......
......@@ -2798,7 +2798,7 @@ fi
# Define the identity of the package.
PACKAGE=libapparmor1
VERSION=2.13.1
VERSION=2.13.2
cat >>confdefs.h <<_ACEOF
......
......@@ -42,8 +42,8 @@ scanner.h: scanner.l
scanner.c: scanner.l
af_protos.h: /usr/include/netinet/in.h
LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
af_protos.h:
echo '#include <netinet/in.h>' | $(CC) -E -dM - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
lib_LTLIBRARIES = libapparmor.la
noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
......
......@@ -1182,8 +1182,8 @@ scanner.h: scanner.l
scanner.c: scanner.l
af_protos.h: /usr/include/netinet/in.h
LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
af_protos.h:
echo '#include <netinet/in.h>' | $(CC) -E -dM - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
%.pc: %.pc.in $(top_builddir)/config.status
$(AM_V_GEN)cd "$(top_builddir)" && \
......
......@@ -559,8 +559,8 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
@HAVE_PYTHON_FALSE@clean-local:
@HAVE_PYTHON_FALSE@install-exec-local:
@HAVE_PYTHON_FALSE@clean-local:
clean: clean-recursive
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
......
......@@ -379,8 +379,8 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
@HAVE_RUBY_FALSE@clean-local:
@HAVE_RUBY_FALSE@install-exec-local:
@HAVE_RUBY_FALSE@clean-local:
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "AA-TEARDOWN 8"
.TH AA-TEARDOWN 8 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH AA-TEARDOWN 8 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "APPARMOR 7"
.TH APPARMOR 7 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH APPARMOR 7 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......@@ -248,6 +248,62 @@ to klogd; klogd will send the messages to syslog, which will log the
messages with the \s-1KERN\s0 facility. Thus, \s-1REJECTING\s0 and \s-1PERMITTING\s0 messages
may go to either \fI/var/log/audit/audit.log\fR or \fI/var/log/messages\fR,
depending upon local configuration.
.SH "DEBUGGING"
.IX Header "DEBUGGING"
AppArmor provides a few facilities to log more information,
which can help debugging profiles.
.SS "Enable debug mode"
.IX Subsection "Enable debug mode"
When debug mode is enabled, AppArmor will log a few extra messages to
dmesg (not via the audit subsystem). For example, the logs will tell
whether environment scrubbing has been applied.
.PP
To enable debug mode, run:
.PP
.Vb 1
\& echo 1 > /sys/module/apparmor/parameters/debug
.Ve
.SS "Turn off deny audit quieting"
.IX Subsection "Turn off deny audit quieting"
By default, operations that trigger \f(CW\*(C`deny\*(C'\fR rules are not logged.
This is called \fIdeny audit quieting\fR.
.PP
To turn off deny audit quieting, run:
.PP
.Vb 1
\& echo \-n noquiet >/sys/module/apparmor/parameters/audit
.Ve
.SS "Force audit mode"
.IX Subsection "Force audit mode"
AppArmor can log a message for every operation that triggers a rule
configured in the policy. This is called \fIforce audit mode\fR.
.PP
\&\fBWarning!\fR Force audit mode can be extremely noisy even for a single profile,
let alone when enabled globally.
.PP
To set a specific profile in force audit mode, add the \f(CW\*(C`audit\*(C'\fR flag:
.PP
.Vb 1
\& profile foo flags=(audit) { ... }
.Ve
.PP
To enable force audit mode globally, run:
.PP
.Vb 1
\& echo \-n all > /sys/module/apparmor/parameters/audit
.Ve
.PP
If auditd is not running, to avoid losing too many of the extra log
messages, you will likely have to turn off rate limiting by doing:
.PP
.Vb 1
\& echo 0 > /proc/sys/kernel/printk_ratelimit
.Ve
.PP
But even then the kernel ring buffer may overflow and you might
lose messages.
.PP
Else, if auditd is running, see \fIauditd\fR\|(8) and \fIauditd.conf\fR\|(5).
.SH "FILES"
.IX Header "FILES"
.IP "\fI/etc/init.d/apparmor\fR" 4
......
......@@ -21,6 +21,13 @@
<li><a href="#NAME">NAME</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#ERRORS">ERRORS</a></li>
<li><a href="#DEBUGGING">DEBUGGING</a>
<ul>
<li><a href="#Enable-debug-mode">Enable debug mode</a></li>
<li><a href="#Turn-off-deny-audit-quieting">Turn off deny audit quieting</a></li>
<li><a href="#Force-audit-mode">Force audit mode</a></li>
</ul>
</li>
<li><a href="#FILES">FILES</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
</ul>
......@@ -101,6 +108,48 @@
<p>If the userland auditd is not running, the kernel will send audit events to klogd; klogd will send the messages to syslog, which will log the messages with the KERN facility. Thus, REJECTING and PERMITTING messages may go to either <i>/var/log/audit/audit.log</i> or <i>/var/log/messages</i>, depending upon local configuration.</p>
<h1 id="DEBUGGING">DEBUGGING</h1>
<p>AppArmor provides a few facilities to log more information, which can help debugging profiles.</p>
<h2 id="Enable-debug-mode">Enable debug mode</h2>
<p>When debug mode is enabled, AppArmor will log a few extra messages to dmesg (not via the audit subsystem). For example, the logs will tell whether environment scrubbing has been applied.</p>
<p>To enable debug mode, run:</p>
<pre><code> echo 1 &gt; /sys/module/apparmor/parameters/debug</code></pre>
<h2 id="Turn-off-deny-audit-quieting">Turn off deny audit quieting</h2>
<p>By default, operations that trigger <code>deny</code> rules are not logged. This is called <i>deny audit quieting</i>.</p>
<p>To turn off deny audit quieting, run:</p>
<pre><code> echo -n noquiet &gt;/sys/module/apparmor/parameters/audit</code></pre>
<h2 id="Force-audit-mode">Force audit mode</h2>
<p>AppArmor can log a message for every operation that triggers a rule configured in the policy. This is called <i>force audit mode</i>.</p>
<p><b>Warning!</b> Force audit mode can be extremely noisy even for a single profile, let alone when enabled globally.</p>
<p>To set a specific profile in force audit mode, add the <code>audit</code> flag:</p>
<pre><code> profile foo flags=(audit) { ... }</code></pre>
<p>To enable force audit mode globally, run:</p>
<pre><code> echo -n all &gt; /sys/module/apparmor/parameters/audit</code></pre>
<p>If auditd is not running, to avoid losing too many of the extra log messages, you will likely have to turn off rate limiting by doing:</p>
<pre><code> echo 0 &gt; /proc/sys/kernel/printk_ratelimit</code></pre>
<p>But even then the kernel ring buffer may overflow and you might lose messages.</p>
<p>Else, if auditd is running, see auditd(8) and auditd.conf(5).</p>
<h1 id="FILES">FILES</h1>
<dl>
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "APPARMOR.D 5"
.TH APPARMOR.D 5 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH APPARMOR.D 5 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
......@@ -143,6 +143,56 @@ messages with the KERN facility. Thus, REJECTING and PERMITTING messages
may go to either F</var/log/audit/audit.log> or F</var/log/messages>,
depending upon local configuration.
=head1 DEBUGGING
AppArmor provides a few facilities to log more information,
which can help debugging profiles.
=head2 Enable debug mode
When debug mode is enabled, AppArmor will log a few extra messages to
dmesg (not via the audit subsystem). For example, the logs will tell
whether environment scrubbing has been applied.
To enable debug mode, run:
echo 1 > /sys/module/apparmor/parameters/debug
=head2 Turn off deny audit quieting
By default, operations that trigger C<deny> rules are not logged.
This is called I<deny audit quieting>.
To turn off deny audit quieting, run:
echo -n noquiet >/sys/module/apparmor/parameters/audit
=head2 Force audit mode
AppArmor can log a message for every operation that triggers a rule
configured in the policy. This is called I<force audit mode>.
B<Warning!> Force audit mode can be extremely noisy even for a single profile,
let alone when enabled globally.
To set a specific profile in force audit mode, add the C<audit> flag:
profile foo flags=(audit) { ... }
To enable force audit mode globally, run:
echo -n all > /sys/module/apparmor/parameters/audit
If auditd is not running, to avoid losing too many of the extra log
messages, you will likely have to turn off rate limiting by doing:
echo 0 > /proc/sys/kernel/printk_ratelimit
But even then the kernel ring buffer may overflow and you might
lose messages.
Else, if auditd is running, see auditd(8) and auditd.conf(5).
=head1 FILES
=over 4
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "APPARMOR_PARSER 8"
.TH APPARMOR_PARSER 8 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH APPARMOR_PARSER 8 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
......@@ -194,7 +194,8 @@ static void display_usage(const char *command)
"-I n, --Include n Add n to the search path\n"
"-f n, --subdomainfs n Set location of apparmor filesystem\n"
"-m n, --match-string n Use only features n\n"
"-M n, --features-file n Compile features set in file n\n"
"-M n, --features-file n Set compile & kernel features to file n\n"
"--compile-features n Compile features set in file n\n"
"--kernel-features n Kernel features set in file n\n"
"-n n, --namespace n Set Namespace for the profile\n"
"-X, --readimpliesX Map profile read permissions to mr\n"
......@@ -535,14 +536,21 @@ static int process_arg(int c, char *optarg)
}
break;
case 'M':
if (compile_features)
aa_features_unref(compile_features);
if (kernel_features)
aa_features_unref(kernel_features);
if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
fprintf(stderr,
"Failed to load features from '%s': %m\n",
optarg);
exit(1);
}
kernel_features = aa_features_ref(compile_features);
break;
case 138:
if (kernel_features)
aa_features_unref(kernel_features);
if (aa_features_new(&kernel_features, AT_FDCWD, optarg)) {
fprintf(stderr,
"Failed to load kernel features from '%s': %m\n",
......@@ -550,6 +558,16 @@ static int process_arg(int c, char *optarg)
exit(1);
}
break;
case 139:
if (compile_features)
aa_features_unref(compile_features);
if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
fprintf(stderr,
"Failed to load compile features from '%s': %m\n",
optarg);
exit(1);
}
break;
case 'q':
conf_verbose = 0;
conf_quiet = 1;
......
......@@ -113,6 +113,8 @@ skip_profile() {
local profile=$1
if [ "${profile%.rpmnew}" != "${profile}" -o \
"${profile%.rpmsave}" != "${profile}" -o \
"${profile%.orig}" != "${profile}" -o \
"${profile%.rej}" != "${profile}" -o \
-e "${PROFILE_DIR}/disable/`basename ${profile}`" -o \
"${profile%\~}" != "${profile}" ] ; then
return 1
......@@ -128,7 +130,7 @@ skip_profile() {
return 2
fi
if echo "${profile}" | egrep -q '^.+\.new-[0-9\.]+_[0-9]+$'; then
return 2 ;;
return 2
fi
return 0
......
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "SUBDOMAIN.CONF 5"
.TH SUBDOMAIN.CONF 5 "2018-10-13" "AppArmor 2.13.1" "AppArmor"
.TH SUBDOMAIN.CONF 5 "2018-12-21" "AppArmor 2.13.2" "AppArmor"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.12) 13 OCT 2018 16:42
This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.12) 21 DEC 2018 03:17
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
**\def\fixedpdfdate{20181013233806+0000}\input techdoc.tex
**\def\fixedpdfdate{20181221111602+0000}\input techdoc.tex
(./techdoc.tex (/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo
......
No preview for this file type
......@@ -131,9 +131,13 @@ sub test_profile {
} elsif ($coredump) {
ok(0, "$profile: Produced core dump (signal $signal): $description");
} elsif ($istodo) {
TODO: {
local $TODO = "Unfixed testcase.";
ok($expass ? !$result : $result, "TODO: $profile: $description");
if ($expass != $result) {
fail("TODO passed unexpectedly: $profile: $description");
} else {
TODO: {
local $TODO = "Unfixed testcase.";
ok($expass ? !$result : $result, "TODO: $profile: $description");
}
}
} else {
ok($expass ? !$result : $result, "$profile: $description");
......
......@@ -2,6 +2,7 @@
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT PASS
#=TODO
#=DISABLED - results in "superfluous TODO", but fails after removing TODO
abi < "abi/4.19">,
......
......@@ -2,6 +2,7 @@
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT PASS
#=TODO
#=DISABLED - results in "superfluous TODO", but fails after removing TODO
abi < "abi/4.19" >,
......
#=DESCRIPTION reference variables in rules that also have alternations
#=EXRESULT PASS
#=TODO
# This test needs check on @{FOO} attachment having leading / post var expansion
@{FOO}=/bar /baz
......
#=DESCRIPTION reference variables is null
#=EXRESULT FAIL
#=TODO
#needs post var expansion check that variable contained a value
@{FOO}=
......
#=DESCRIPTION reference variables is null
#=EXRESULT FAIL
#=TODO
#needs post var expansion check that variable contained a value
@{FOO}=
......
#
#=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
#=EXRESULT PASS
#=TODO
#
/usr/bin/foo {
......
#
#=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
#=EXRESULT FAIL
#=TODO
#
/usr/bin/foo {
/b* px,
......
......@@ -29,6 +29,7 @@ DESTDIR=/
PROFILES_DEST=${DESTDIR}/etc/apparmor.d
EXTRAS_DEST=${DESTDIR}/usr/share/apparmor/extra-profiles/
PROFILES_SOURCE=./apparmor.d
ABSTRACTIONS_SOURCE=./apparmor.d/abstractions
EXTRAS_SOURCE=./apparmor/profiles/extras/
SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
......@@ -84,6 +85,8 @@ docs:
IGNORE_FILES=${EXTRAS_SOURCE}/README
CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
# use find because Make wildcard is not recursive:
CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print)
.PHONY: check
check: check-parser check-logprof
......@@ -96,6 +99,14 @@ check-parser: local
${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
done
@echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"
$(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \
echo "#include <tunables/global> profile test { #include <$${abstraction}> }" \
| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \
|| exit 1; \
done
.PHONY: check-logprof
check-logprof: local
@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
......
......@@ -7,9 +7,9 @@
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow apache to send us signals by default
signal (receive) peer=/usr/{bin,sbin}/apache2,
signal (receive) peer=apache2,
# Allow other hats to signal by default
signal peer=/usr/{bin,sbin}/apache2//*,
signal peer=apache2//*,
# Allow us to signal ourselves
signal peer=@{profile_name},
......
......@@ -90,8 +90,8 @@
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/online r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
......
......@@ -14,6 +14,6 @@
deny capability block_suspend,
# dovecot's master can send us signals
signal receive peer=/usr/{bin,sbin}/dovecot,
signal receive peer=dovecot,
/{var/,}run/dovecot/config rw,
......@@ -4,6 +4,5 @@
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).
# TODO: use @{sys} after it's moved into tunables/kernelvars (LP: #1728551)
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
......@@ -17,7 +17,7 @@
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
/sys/devices/system/memory/block_size_bytes r,
@{sys}/devices/system/memory/block_size_bytes r,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,
......
......@@ -4,7 +4,7 @@
# System files
/etc/OpenCL/** r,
/sys/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
/sys/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
......@@ -12,6 +12,6 @@
# System files
/dev/dri/card[0-9]* rw, # beignet/libcl.so
/sys/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r,
......@@ -16,8 +16,8 @@
# libnvidia-opencl.so rules:
/dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/system/memory/block_size_bytes r,
@{sys}/devices/pci[0-9]*/**/config r,
@{sys}/devices/system/memory/block_size_bytes r,
/usr/share/nvidia/** r,
@{PROC}/devices r,
@{PROC}/sys/vm/mmap_min_addr r,
......
......@@ -11,22 +11,22 @@
# System files
/ r, # libpocl.so -> libhwloc.so
/sys/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
/sys/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
/sys/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
/sys/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
/sys/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
/sys/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
/sys/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
/sys/devices/system/cpu/ r, # libpocl.so -> libnuma.so
/sys/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
/sys/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
/sys/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
/sys/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
/sys/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
/sys/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
/sys/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
/sys/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so