54c6343...
by
Christian Boltz
on 2024-05-02
Merge fix pipeline for ubuntu:latest in apparmor-3.0
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1224
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>
ac7c791...
by
Georgia Garcia
on 2024-05-02
utils: aa-notify tests fail in new python versions due to warnings
Due to several 'SyntaxWarning: invalid escape sequence' aa-notify
tests fail on Python 3.12.3.
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 388
Signed-off-by: Georgia Garcia <email address hidden>
09402d2...
by
intrigeri
on 2022-02-13
CI: don't install unneeded python-all-dev (Python 2)
(cherry picked from commit 3c1163825b28b99 cf827d1c87f3d50 0539030689)
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 388
Signed-off-by: Georgia Garcia <email address hidden>
dcb3493...
by
John Johansen <email address hidden>
on 2024-04-22
Merge profiles: add fixes for samba from issue #386
Signed-off-by: Alex Murray <email address hidden>
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 386
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1219
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1457eada8b421b4 f39eb6e1381efec d2f3adcac7)
Signed-off-by: John Johansen <email address hidden>
8d6174e...
by
John Johansen
on 2024-04-08
Revert abi change for unix_chkpwd introduced by b69add4f2
commit
b69add4f2 Merge Allow pam_unix to execute unix_chkpwd
is a backport of a fix but that fix also updated the abi and that change
was unfortunately not dropped when it should have been.
Signed-off-by: John Johansen <email address hidden>
d18bc59...
by
John Johansen <email address hidden>
on 2024-04-03
Merge Move pam-related permissions to abstractions/ authentication
... instead of keeping them in the smbd profile.
For details, see c09f58a36459460 7cdf5703d6e11ae c14ade3ea8 and
https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1220032# c12
Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered.
Fixes: https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1220032# c12
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1191
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit f33488478753d2f 4138150cfc69b9d 120a7e7f25)
Signed-off-by: John Johansen <email address hidden>
b69add4...
by
John Johansen <email address hidden>
on 2024-03-14
Merge Allow pam_unix to execute unix_chkpwd
Latest pam_unix always runs /usr/sbin/ unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/ authentication.
It also needs to read /proc/@ {pid}/loginuid
Also cleanup the now-superfluous rules from the smbd profile.
Fixes: https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1219139
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1181
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 9a1838016c18aea 24fde26858311b4 8b2fd8f3d6)
Signed-off-by: John Johansen <email address hidden>
7e04655...
by
John Johansen <email address hidden>
on 2024-03-12
Merge abstractions/ crypto: allow read of more common crypto configuration files
Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.
This adds the paths usually used by gnutls and openssl to improve these kind of use cases.
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/2056739
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ chrony/ +bug/2056747
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1178
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3d1dedfa7e75ff6 7ec9282d1c7c42d db53422595)
Signed-off-by: John Johansen <email address hidden>
e575889...
by
John Johansen <email address hidden>
on 2024-04-03
Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS}
# abstractions/samba: allow /etc/gnutls/config
Various samba components want to read it. Without it, shares cannot be accessed.
apparmor= "DENIED" operation="open" class="file" profile="nmbd" name="/ etc/gnutls/ config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile="smbd" name="/ etc/gnutls/ config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24036 comm="rpcd_ epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-spoolss" name="/ etc/gnutls/ config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-classic" name="/ etc/gnutls/ config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
# profiles/ apparmor. d/samba- rpcd-classic: allow @{HOMEDIRS}
Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-classic" name="/ home/user/ path/to/ usershare/ " pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 379
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1200
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 5998a0021a4f752 7fe0b64771e5b9e fe71267d8e)
Signed-off-by: John Johansen <email address hidden>
ff6489b...
by
John Johansen <email address hidden>
on 2024-04-03
Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04
Testing on noble turned these up:
`2024-03- 27T00:10: 28.929314- 04:00 image-ubuntu64 kernel: audit: type=1400 audit(171151262 8.920:155) : apparmor="DENIED" operation="bind" class="net" profile= "/usr/sbin/ sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_ mask="bind" denied_mask="bind" addr="@ 63cf34db7fbab75 f/bus/sshd/ system" `
`2024-03- 27T00:41: 09.791826- 04:00 image-ubuntu64 kernel: audit: type=1107 audit(171151446 9.771:333907) : pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor= "DENIED" operation= "dbus_method_ call" bus="system" path="/ org/freedesktop /login1" interface= "org.freedeskto p.login1. Manager" member= "CreateSessionW ithPIDFD" mask="send" name="org. freedesktop. login1" pid=4528 label=" /usr/sbin/ sshd" peer_pid=688 peer_label= "unconfined" `
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ apparmor/ +bug/2060100
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1196
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3aa40249cf153c1 7be5ad9d20a7736 5915397000)
Signed-off-by: John Johansen <email address hidden>