1. 21 Dec, 2018 2 commits
  2. 16 Dec, 2018 1 commit
  3. 11 Dec, 2018 1 commit
  4. 08 Dec, 2018 6 commits
  5. 30 Nov, 2018 1 commit
    • Christian Boltz's avatar
      Merge branch 'certbot' into 'master' · c044757d
      Christian Boltz authored
      Add /etc/letsencrypt/archive to ssl_key abstraction
      
      See merge request apparmor/apparmor!283
      
      Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
      
      (cherry picked from commit 0a666b8e48c162932a2b8049fbe3be2c909517b1)
      
      cb468786 Add /etc/letsencrypt stuff to ssl_keys/ssl_certs abstraction
      c044757d
  6. 22 Nov, 2018 1 commit
  7. 18 Nov, 2018 1 commit
    • Christian Boltz's avatar
      Fix viewing a local inactive profile in aa-genprof · 37edb354
      Christian Boltz authored
      aa-genprof checks if one of the profiles in the extra profile dir
      matches the binary, and proposes to use that profile as a starting
      point.
      
      Since 4d722f18397dd35b208548d4c841b955c41ac7ce the "(V)iew profile"
      option to display the proposed profile was broken.
      
      The easiest fix is to remember the filename in the extras directory, and
      display the file from there.
      
      Sidenote: when choosing to use the extra profile, it gets written to
      disk without any problems, so this bug really only affected "(V)iew
      profile" to preview the proposed extra profile.
      
      (cherry picked from commit 8b4e76a7d5d87cafb964faa87368dd2b6842f4b8)
      37edb354
  8. 14 Nov, 2018 1 commit
    • Christian Boltz's avatar
      parse_profile_data(): Ensure last line in a profile is valid · b8dc8d13
      Christian Boltz authored
      'lastline' gets merged into 'line' (and reset to None) when reading the
      next line. If 'lastline' isn't empty after reading the whole profile,
      this means there's something unparseable at the end of the profile,
      therefore parse_profile_data() should error out.
      
      Also remove some simple_tests testcases from the 'exception_not_raised'
      list - they only didn't raise the exception because the invalid rule was
      the last line in the affected profile.
      
      Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
      discovering this bug while adding some xattr testcases that surprisingly
      didn't fail in the tools.
      
      PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
      (cherry picked from commit 4efff35bf8991fcdda3f16e65a036826b9b5cf5f)
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      b8dc8d13
  9. 11 Nov, 2018 13 commits
    • intrigeri's avatar
      Merge branch 'use-sys-213' into 'apparmor-2.13' · 1f2eb0bb
      intrigeri authored
      Backport to 2.13: Use @{sys} tunable in profiles and abstractions
      
      See merge request apparmor/apparmor!265
      1f2eb0bb
    • Christian Boltz's avatar
      serialize_profile(): Fix handling of options · 2296c30a
      Christian Boltz authored
      In the 2.13 branch (and older), 'options' is not always a dict, but can
      also be None or an empty string.
      
      Adjust the if condition in serialize_profile() so that "View changes
      between clean profiles" doesn't error out.
      2296c30a
    • Christian Boltz's avatar
      Replace existing_profiles & fix minitools for named profiles · aa328cb0
      Christian Boltz authored
      Technical stuff first:
      
      Replace existing_profiles (a dict with the filenames for both active and
      inactive profiles) with active_profiles and extra_profiles which are
      ProfileList()s and store the active profiles and those in the extra
      directory separately. Thanks to ProfileList, now also the relation
      between attachments and filenames is easily available.
      
      Also replace all usage of existing_profiles with active_profiles and
      extra_profiles, and adjust it to the ProfileList syntax everywhere.
      
      With this change, several bugs in aa-complain and the other minitools
      get fixed:
      - aa-complain etc. never found profiles that have a profile name
        (the attachment wasn't checked)
      - even if the profile name was given as parameter to aa-complain, it
        first did "which $parameter" so it never matched on named profiles
      - profile names with alternations (without attachment specification)
        also never matched because the old code didn't use AARE.
      
      References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
      (search for "As usual" ;-)
      
      Just for completeness - the matching still doesn't honor/expand
      variables in the profile name.
      
      (cherry picked from commit 4d722f18397dd35b208548d4c841b955c41ac7ce)
      aa328cb0
    • Christian Boltz's avatar
      add ProfileList class to store list of profiles · 1d183660
      Christian Boltz authored
      ProfileList is meant to store the list of profiles (both name and
      attachment) and in which files they live.
      
      Also add unittests to make sure everything works as expected.
      
      (cherry picked from commit 789c4658e22ef42e76fd55c14e31fcaa93ef574b)
      1d183660
    • Christian Boltz's avatar
      Move updating existing_profiles out of parse_profile_data() · 7b078324
      Christian Boltz authored
      parse_profile_data() returns the parsed profiles, but writes to
      existing_profiles directly.
      
      read_profiles() calls parse_profile_data() and already handles adding
      the parsed profiles to aa, original_aa or extras, which means updating
      existing_profiles there is a much better place.
      
      This commit also includes a hidden change: Previously, when parsing
      include files, they were also added to existing_profiles. This is
      superfluous, only real profiles need to be stored there.
      
      (cherry picked from commit 8809218ac8cfb89a6c8b2109511960c8aab944aa)
      7b078324
    • Christian Boltz's avatar
      split off get_new_profile_filename() · b6c96f39
      Christian Boltz authored
      ... and call it from get_profile_filename_* if get_new is True
      (= always with the current code)
      
      (cherry picked from commit a6b8d14908dafb3667f05984d39b7e3889503dcc)
      b6c96f39
    • Christian Boltz's avatar
      split get_profile_filename into .._from_profile_name and .._from_attachment · ad236a59
      Christian Boltz authored
      Split get_profile_filename() into
      - get_profile_filename_from_profile_name() (parameter: a profile name)
      - get_profile_filename_from_attachment() (parameter: an attachment)
      
      Currently both functions call get_profile_filename_orig() (formerly
      get_profile_filename()) so the behaviour doesn't change yet.
      
      The most important part of this commit is changing all
      get_profile_filename() calls to use one of the new functions to make
      clear if they specify a profile or an attachment/executable as
      parameter.
      
      As promised, the is_attachment parameter starts to get used in this
      patch ;-)
      
      Note: The get_new parameter (which I'll explain in the patch actually
      using it) is set to True in all calls to the new functions.
      The long term plan is to get rid of it in most cases (hence defaulting
      to False), but that will need more testing.
      
      (cherry picked from commit ec741424f81e152598035324b6fde604427e0a63)
      ad236a59
    • Christian Boltz's avatar
      Add is_attachment parameter to write_profile · f8b95d03
      Christian Boltz authored
      The minitools call write_profile(), write_profile_feedback_ui() and
      serialize_profile() with the _attachment_ as parameter.
      
      However, aa-logprof etc. call them with the _profile name_ as parameter.
      
      This patch adds an is_attachment parameter to write_profile() and
      write_profile_feedback_ui(). It also passes it through to
      serialize_profile() via the options parameter.
      
      If is_attachment is True, the parameter will be handled as attachment,
      otherwise it is expected to be a profile name.
      
      tools.py gets changed to set is_attachment to True when calling the
      functions listed above to make clear that the parameter is an attachment.
      
      Note: This patch only adds the is_attachment parameter/option, but
      doesn't change any behaviour. That will happen in the next patch.
      
      (cherry picked from commit bc783372b879b8f090044b3793a9ca49cc30cd87)
      f8b95d03
    • Christian Boltz's avatar
      Merge branch 'cboltz-view-changes-2.13' into 'apparmor-2.13' · f4d7f8ae
      Christian Boltz authored
      [2.12+2.13] use serialize_profile() for the new profile in (V)iew Changes
      
      See merge request apparmor/apparmor!267
      
      Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
      f4d7f8ae
    • Christian Boltz's avatar
      delete serialize_profile_from_old_profile() · 1b32d764
      Christian Boltz authored
      ... which is unused since the last commit.
      
      Note: unlike 0eb12a8cbd13d17a1784b29d3488fc99e4457e2c, this commit does
      _not_ delete several write_* function that were only used by this
      function. Verifying that these functions are really unused is not worth
      the effort in the 2.13 branch.
      
      (cherry picked from commit 0eb12a8cbd13d17a1784b29d3488fc99e4457e2c -
      but only apply partially)
      1b32d764
    • Christian Boltz's avatar
      use serialize_profile() for the new profile in (V)iew Changes · dd4c2b05
      Christian Boltz authored
      ... instead of serialize_profile_from_old_profile()
      
      This will give a realistic preview of the changes (serialize_profile()
      is also used when actually writing the profile) and replaces the
      known-buggy serialize_profile_from_old_profile() with known-working
      code.
      
      It also fixes the issue reported in
          https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
      which means we no longer need the workaround of catching AttributeError
      (verified in manual before/after test)
      
      References:
      - https://bugs.launchpad.net/apparmor/+bug/1394788
      - https://bugs.launchpad.net/bugs/1528139
      - https://bugs.launchpad.net/apparmor/+bug/1404893
      
      (cherry picked from commit 469eb444de27fe2c20226b6f15b5b72b12af3ee7)
      dd4c2b05
    • Vincas Dargis's avatar
      Add vulkan abstraction · 31461701
      Vincas Dargis authored
      Add abstraction for Vulkan API specific file paths.
      31461701
    • Vincas Dargis's avatar
      Use @{sys} tunable in profiles and abstractions · 41ff006f
      Vincas Dargis authored
      Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable
      available by default.
      
      Update profiles and abstractions to actually use @{sys} tunable for
      better confinement in the future (when @{sys} becomes kernel var).
      
      Closes LP#1728551
      41ff006f
  10. 06 Nov, 2018 3 commits
  11. 04 Nov, 2018 1 commit
  12. 26 Oct, 2018 1 commit
  13. 22 Oct, 2018 2 commits
  14. 21 Oct, 2018 2 commits
  15. 20 Oct, 2018 2 commits
  16. 17 Oct, 2018 1 commit
    • Christian Boltz's avatar
      Merge branch 'test-includes' into 'master' · 6f70502a
      Christian Boltz authored
      profiles/Makefile: test abstractions against apparmor_parser
      
      See merge request apparmor/apparmor!237
      
      Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk and 2.13.
      
      Pre-acked for 2.10..2.12 after removing the --config-file option which is not supported in these branches.
      
      (cherry picked from commit 2863e20f37f6b24f99e7d997cb2ae8fbb6efbe73)
      
      dc7ae28d profiles/Makefile: test abstractions against apparmor_parser
      6f70502a
  17. 16 Oct, 2018 1 commit
    • Christian Boltz's avatar
      Merge branch 'aa-notify-manpage' into 'master' · 37e64d99
      Christian Boltz authored
      aa-notify man page: update user's configuration file path
      
      See merge request apparmor/apparmor!239
      
      Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
      
      (cherry picked from commit f920915dd317583a75d5af17797838251e21b031)
      
      2209e09a aa-notify man page: update user's configuration file path
      37e64d99